Magento Skimmers: From Atob to Alibaba

Magento 2 PHP Skimmer Saves To Image File

Last year we saw a fairly massive Magento malware campaign that injected credit card stealing code similar to this:

Old injected malware code
Old injected code

It uses the JavaScript atob function to decode base64-encoded domain names and URL patterns. In the sample above, it’s hxxps://livegetpay[.]com/pay.js?v=2.2.9 and “onepage”, respectively.

The campaign used a variety of different domain names and targeted all sorts of payment processing systems, which is well described in the Group IB’s report.

Obfuscation Method Leverages Google Analytics

Eventually the obfuscation used by this campaign has evolved into a more elaborate one which pretends to be Google Analytics code.

Skimmer disguised as Google Analytics
Skimmer disguised as Google Analytics

Indeed it is very similar to Google’s real code, which looks like this:

Real Google Analytics code
Real Google Analytics code

There is almost no difference between the skimmer and legitimate analytics sample—except for some extra base64-encoded values along with short instructions to decode (atob), which use these values instead of Google’s original ones.

Variations of the Malware

In the case above, the encoded values are bGlnaHRnZXRqcy5jb20vbGlnaHQuanM= (lightgetjs[.]com/light.js) and Y2hlY2tvdXQ= (checkout). For pages with the keyword “checkout” in their URLs, the code loads a credit card skimmer from lightgetjs[.]com/light.js.

As seen in the previous series of attacks, this was not the only domain used in the new wave of this campaign. We’ve found many different variations of this script with the following combinations of the encoded values (not a complete list):

aHR0cHM6Ly9hamF4c3RhdGljLmNvbS9hcGkuanM/dj0yLjMuNg==, b25lcGFnZQ==
hxxps://ajaxstatic[.]com/api.js?v=2.3.6, onepage

anNnbG9iYWwudG9wL2FwaS5qcw==, b25lcGFnZQ==
jsglobal[.]top/api.js, onepage

c2VjdGlvbi53cy9pby5qcw==, Y2hlY2tvdXQ=
section[.]ws/io.js, checkout

cmFja2FwaWpzLmNvbS9hcGkuanM=, Y2hlY2tvdXQ=
rackapijs[.]com/api.js, checkout

Infrastructure

All of these URLs point to the same server that also hosts a few more domains used in this campaign:

  • mediapack[.]info Creation Date: 2017-05-04
  • lightgetjs[.]com Creation Date: 2019-04-23
  • section[.]ws Creation Date: 2019-05-20
  • sectionio[.]com Creation Date: 2019-05-20
  • rackapijs[.]com Creation Date: 2019-03-23
  • authorizeplus[.]com Creation Date: 2019-02-17
  • priceapigate[.]com Creation Date: 2019-04-23
  • ajaxstatic[.]com Creation Date: 2019-01-11
  • topapigate[.]com Creation Date: 2019-05-13
  • jsglobal[.]top

These domains have been migrating from one server to another. This past July, we saw them resolve to IPs that belong to the Chinese Alibaba.com corporation.

  • 8.208.15.67  – China Hangzhou Alibaba.com Singapore E-commerce Private Limited
  • 47.254.202.112 – China Hangzhou Alibaba.com Llc

Another Server, Same Malware

MalwareBytes researcher Jérôme Segura has recently found similar code on Everlast’s website:

The script uses the following encoded values:
bWFnZWVudG8uY29tL3YzL2FwaS9sb2dzLmpz (mageento[.]com/v3/api/logs.js), b25lc3RlcGNoZWNrb3V0Cg== (onestepcheckout)

The mageento[.]com domain was created on February 22, 2019 and is currently hosted on a server with the IP 45.114.8.166 (Hong Kong), along with a few other well-known skimmer domains such as g-statistic[.]com, googleadservicesonline[.]com, onlineclouds[.]info, onlineclouds[.]cloud.

Summary

Due to the sensitive nature of data handled by ecommerce websites, attackers continue to target online stores to obtain credit card information.

The evolution and growth that we’ve seen over the past year for this massive campaign is indicative of the profitability of credit card skimmers. Attackers are going to greater lengths to conceal their malware on compromised websites.

We encourage Magento users to keep their software up to date, implement strong access control measures, and apply all of the latest security patches. We’ve outlined steps on how to harden your site in our Magento security guide.

If you believe your Magento website has been compromised and you need a hand cleaning up the infection, we’d be happy to help.

You May Also Like