• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Magento Credit Card Stealer Reinfector

Magento Credit Card Stealer Reinfector

June 19, 2018Cesar AnjosEspanolPortugues

FacebookTwitterSubscribe

In the past few months, we have frequently seen how attackers are infecting Magento installations to scrape confidential information such as credit cards, logins, and PayPal credentials. That is why we have reported on a credit card stealer reinfector of Magento websites in one of our recent Labs Notes.

In this post, we describe one of the methods hackers use to ensure that their malicious code is added back to a website after it has been removed.

Here’s a code we found on /includes/config.php.

This code is a prime candidate for infections once it is included right on the main index.php, loading at every page.

A default config.php file should not be changed by the site owner directly. All the code is added by Magento itself. That is why seeing this code on the file already triggers a warning.

On the first block, we have a function called “patch” that writes content into a file (patching it). This function is then called to write externally obtained content into specific files related to the payment process or user control:

/app/code/core/Mage/Payment/Model/Method/Cc.php
/app/code/core/Mage/Payment/Model/Method/Abstract.php
/app/code/core/Mage/Customer/controllers/AccountController.php
/app/code/core/Mage/Customer/controllers/AddressController.php
/app/code/core/Mage/Admin/Model/Session.php
/app/code/core/Mage/Admin/Model/Config.php
/app/code/core/Mage/Checkout/Model/Type/Onepage.php
/app/code/core/Mage/Checkout/Model/Type/Abstract.php

The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it, but it makes it less obvious for the untrained eye, such as:

$link_a = $link.'YTGgAnrv';

Converts to:

$link_a = 'hxxp://pastebin[.]com/raw/YTGgAnrv';

Malicious Code Stored on Pastebin

It’s not the first time that there’s malicious code being stored on pastebin which is then directly used by attackers to keep their infections more “low-profile” in order to make their detection harder.

Looking at all the content stored on pastebin[.]com, we found very common variations of malware that intend to steal passwords and credit card information then send them off to external domains for processing or sale such as:

hxxp://magento.ontools[.]net/update
hxxp://www.bgsvetlina[.[com/post.php

The code is pretty similar to other ones we have previously reviewed:

  • Magento Login and Credentials Stealer
  • New version of Magento Credit Card stealer in the wild
  • Magento CC stealer adding user’s credentials to the loot

The mechanism the attackers add “error_reporting(0);”is very interesting. It avoids any error leading to the discovery of the infection.

Another fact that called our attention, is the size of each of the files is verified to check if it is necessary to reinfect them again.

Compromised Magento Websites

As a rule of thumb, on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified quickly. We advise you to do it first thing.

Many times, removing just the infection that you have a main concern about is not enough. You should always assume someone is out there ready to catch you off guard.

Think as if the attacker is still inside your website.

It is imperative that you look for other kinds of malware and backdoors in your website. Backdoors allow the attacker to: execute any type of code, add files, remove files, and do other malicious activities in your website.

Conclusion

For Magento infections like this one, you can use our step-by-step guide on how to identify a hack and clean a compromised Magento site.

I have also hosted a webinar explaining how to clean a hacked Magento website.

If you are not comfortable enough to follow the steps and clean up your own website yourself, we will gladly get your website back to tiptop shape in no time.

Update: We have just released a Magento security guide. Check it out!

FacebookTwitterSubscribe

Categories: Ecommerce Security, Magento Security, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Malware Cleanup, Malware Updates, Website Backdoor

About Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.