• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Another Credit Card Stealer That Pretends to Be Sucuri

November 11, 2020Denis Sinegubko

263
SHARES
FacebookTwitterSubscribe

During a routine investigation, we found yet another web skimmer that pretends to be related to Sucuri.

One of our Remediation Analysts, Liam Smith, found the following code injected into the database of a Magento site.

Code Injection on Magento website

The first 109 lines of the malware don’t contain any content, which could be an attempt to avoid detection and conceal itself from detection, but line #110 contains a  base64-encoded Javascript ( eval(atob(… ).

Once decoded, we see a typical web skimmer that is added to the onclick event of the checkout button (btn-checkout) and onunload event of the web page.

Data exfiltration on compromised Magento website

The payment data exfiltration takes place via an <img> tag whose src parameter is changed to hxxps://terminal4.veeblehosting[.]com/~sucurrin/i/gate.php, with relevant GET parameters such as card number, CVV, and expiration date stored in plain text.

terminal4.veeblehosting[.]com is neither a malicious site nor a hacked site. It’s a host name of some shared servers (108.170.55.202, 108.170.55.203) belonging to the Dutch hosting provider Veeble.

It’s typical for hosts to provide temporary addresses for sites until they point a real domain name to their new server. On Veeble’s terminal4 server, these types of temporary addresses come in a form of hxxps://terminal4.veeblehosting[.]com/~<clientid>/, where clientid is username for a hosting account.

In this malware, we see that the skimmer works on a site that belongs to the sucurrin Veeble account. This account name closely resembles the name of Sucuri. To make it even more plausible, terminal4.veeblehosting[.]com/~sucurrin/ redirected to our site https://sucuri.net/ (this Veeble account is now disabled). However, if we add any path to the host name, the redirection will not happen, revealing that the site is not related to Sucuri at all.

To filter out bad actors masquerading as known brand and mitigate the risk of malicious credit card skimmers, consider employing integrity control and security monitoring on your website to mitigate an attack. A good website firewall can help to minimize the risk of infection in the first place.

263
SHARES
FacebookTwitterSubscribe

Categories: Ecommerce Security, Magento Security, Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Credit Card Stealers, Hacked Websites, Labs Note, Malware

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him not online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Magento Webinar

PCI Compliance Guide

Magento Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.