Last year we saw a fairly massive Magento malware campaign that injected credit card stealing code similar to this:
The campaign used a variety of different domain names and targeted all sorts of payment processing systems, which is well described in the Group IB’s report.
Obfuscation Method Leverages Google Analytics
Eventually the obfuscation used by this campaign has evolved into a more elaborate one which pretends to be Google Analytics code.
Indeed it is very similar to Google’s real code, which looks like this:
There is almost no difference between the skimmer and legitimate analytics sample—except for some extra base64-encoded values along with short instructions to decode (atob), which use these values instead of Google’s original ones.
Variations of the Malware
In the case above, the encoded values are bGlnaHRnZXRqcy5jb20vbGlnaHQuanM= (lightgetjs[.]com/light.js) and Y2hlY2tvdXQ= (checkout). For pages with the keyword “checkout” in their URLs, the code loads a credit card skimmer from lightgetjs[.]com/light.js.
As seen in the previous series of attacks, this was not the only domain used in the new wave of this campaign. We’ve found many different variations of this script with the following combinations of the encoded values (not a complete list):
aHR0cHM6Ly9hamF4c3RhdGljLmNvbS9hcGkuanM/dj0yLjMuNg==, b25lcGFnZQ== hxxps://ajaxstatic[.]com/api.js?v=2.3.6, onepage anNnbG9iYWwudG9wL2FwaS5qcw==, b25lcGFnZQ== jsglobal[.]top/api.js, onepage c2VjdGlvbi53cy9pby5qcw==, Y2hlY2tvdXQ= section[.]ws/io.js, checkout cmFja2FwaWpzLmNvbS9hcGkuanM=, Y2hlY2tvdXQ= rackapijs[.]com/api.js, checkout
All of these URLs point to the same server that also hosts a few more domains used in this campaign:
- mediapack[.]info Creation Date: 2017-05-04
- lightgetjs[.]com Creation Date: 2019-04-23
- section[.]ws Creation Date: 2019-05-20
- sectionio[.]com Creation Date: 2019-05-20
- rackapijs[.]com Creation Date: 2019-03-23
- authorizeplus[.]com Creation Date: 2019-02-17
- priceapigate[.]com Creation Date: 2019-04-23
- ajaxstatic[.]com Creation Date: 2019-01-11
- topapigate[.]com Creation Date: 2019-05-13
These domains have been migrating from one server to another. This past July, we saw them resolve to IPs that belong to the Chinese Alibaba.com corporation.
- 126.96.36.199 – China Hangzhou Alibaba.com Singapore E-commerce Private Limited
- 188.8.131.52 – China Hangzhou Alibaba.com Llc
Another Server, Same Malware
MalwareBytes researcher Jérôme Segura has recently found similar code on Everlast’s website:
An archived copy of the compromised page can be found here: https://t.co/Za0rTCcjKM
— Jérôme Segura (@jeromesegura) August 6, 2019
The script uses the following encoded values:
bWFnZWVudG8uY29tL3YzL2FwaS9sb2dzLmpz (mageento[.]com/v3/api/logs.js), b25lc3RlcGNoZWNrb3V0Cg== (onestepcheckout)
The mageento[.]com domain was created on February 22, 2019 and is currently hosted on a server with the IP 184.108.40.206 (Hong Kong), along with a few other well-known skimmer domains such as g-statistic[.]com, googleadservicesonline[.]com, onlineclouds[.]info, onlineclouds[.]cloud.
Due to the sensitive nature of data handled by ecommerce websites, attackers continue to target online stores to obtain credit card information.
The evolution and growth that we’ve seen over the past year for this massive campaign is indicative of the profitability of credit card skimmers. Attackers are going to greater lengths to conceal their malware on compromised websites.
We encourage Magento users to keep their software up to date, implement strong access control measures, and apply all of the latest security patches. We’ve outlined steps on how to harden your site in our Magento security guide.
If you believe your Magento website has been compromised and you need a hand cleaning up the infection, we’d be happy to help.