Localization and Customization of Credit Card Stealing Malware

Credit card stealing malware is becoming more and more customized. We’ve been regularly seeing injected scripts with URLs that either mimic or include a portion of the victim’s site domain. Sometimes the injected code also references the victim’s site.

Recently, we’ve come across another level of customization.

Fake Payment Form in Bulgarian

A compromised Magento site had the following script injected into its core_config_data table.

hxxps://elegrina[.]com/assets/<domain>.js,  where <domain> was the second-level domain of the infected site.

This obfuscated script replaces the real payment form with a fake one and sends entered data to “hxxps://elegrina[.]com/tr/”. The interesting part is that the fake form has hard-coded labels in Bulgarian. E.g. “Име на карта”, “Номер на кредитната карта”, “Срок на годност”, etc. Indeed, it was a Bulgarian site where we found this malware.

Fake Payment Form in Italian

We then tried to find other sites with the same malware from elegrina[.]com. Initially, we only found one more infected site—probably because the attack was quite new. The elegrina[.]com domain was registered on Nov 18, 2018 (hosted on server 82. 146 .51 .84 in Russia).

The other site that we identified with this malware was Italian (on a .com domain, though). The injected script had the same hxxps://elegrina[.]com/assets/<domain>.js URL pattern, where <domain> matched the SLD of the infected Italian site. The script itself used the same obfuscation as the compromised Bulgarian site. However, its contents were different. Besides using different variable names, the most notable was the fake payment form with Italian captions: “Nome sulla carta”, “Numero di carta di credito”, “Data di scadenza”, etc.

When replacing a payment form, one obviously wants it to match the language of the site. Otherwise, customers will not be comfortable entering their information there—conversion rates will be negatively impacted and the site owners will probably receive complaints about it. So, while localization of the malware adds additional complexity to the attack, it is definitely worth it from an attacker’s perspective.

Form Grabber from kinfirighbetted[.]host

On the same infected site, we found one more suspicious injected script (this time in the cms_block table):  hxxps://kinfirighbetted[.]host/d/<domain>.js, where <domain> was the full domain of the compromised site. The script was slightly obfuscated (with variable names like A1_4d3d78ccf29acb7e70c7153b4d15bb93) but at first sight, there is nothing outright malicious except that it sent information about the loaded page address to “hxxps://185 .92 .74 .122/”, which is the IP address of the kinfirighbetted[.]host site.

However, the sending of the data was organized via a <script> tag, which is suspicious and potentially dangerous. So we analyzed the code loaded by that script as a response and it became clear that it was a data stealer. This script hijacks the onclick handlers of all form buttons and similar form items to send any data from online forms to the same “hxxps://185 .92 .74 .122/” site—this time via a POST Ajax request. This approach allows attackers to steal both payment details and site credentials.

Customized Versions of kinfirighbetted[.]host Injections

A quick search on PublicWWW reveals 77 infected websites, some of which are pretty popular. In all cases, the script URL pattern is the same. The script code uses the same approach, although the obfuscation varies a little bit from site to site, which is another sign of efforts the hackers took to customize injections for each domain. The hard-coded URL, although pointing to the same site, has variations from “hxxps://185 .92 .74 .122/” to “hxxps://www.kinfirighbetted[.]host/” and “hxxps://kinfirighbetted[.]host:443/”

Related Domains

The kinfirighbetted[.]host domain was registered on Oct 25, 2018. Its server (185.92.74.122 in England) is also associated with the following suspicious domains:

• special-tech1[.]info registered on Nov 19, 2008
• special-tech2[.]info registered on Nov 19, 2008
• greatwebstat[.]com registered on Jun 14, 2018
• sales4reason[.]com registered on Jul 24, 2018
• l33a3730.justinstalledpanel.com

While most of these domain names no longer resolve or are not yet being used in any attacks, they are clearly associated with the same malware. Google has even cached similar data-stealing scripts from sales4reason[.]com and greatwebstat[.]com when they were still online.

Conclusion

At this point, it’s not clear whether the two malware campaigns (localized payment forms and the generic form grabber) are connected—most likely not. But what both of them demonstrate is that when the goal is to steal site visitors data, hackers are ready to go the extra mile to customize their scripts for each individual target. Everything that helps them stay below radar is worth the extra effort.

We expect further development of this trend, so owners of e-commerce sites and online shoppers should exercise extreme caution.

Online stores make attractive targets to bad actors due to the sensitive payment information and personal data required to complete a transaction. The best way to protect your e-commerce site and valuable customers is to adhere to security best practices and deploy a defensive strategy.

If you are Magento user and are noticing lost sales, abnormal checkout page behavior, have received customer complaints about strange credit card activity, or experienced file modifications and Magento core integrity issues, you can refer to our hacked Magento guide for detailed instructions on how to clean up a site infection. We’re always happy to help clean up and restore your site if you need a hand.

Update: We have just released a Magento security guide. Check it out!