Stylish Magento Card Stealer loads Without Script Tags

  • July 28, 2021
Stylish Magento Card Stealer loads Without Script Tags

Recently one of our analysts, Weston H., found a very interesting credit card stealer in a Magento environment which loads a malicious JavaScript without using any script tags. In this post I will go over how it was found, how to decode it and how it works!

One of our clients was reporting that one of their website visitors was receiving a warning from their antivirus program when navigating to their checkout page:

AVG Screenshot

Calls were being made to a known malicious domain that was already blacklisted by multiple vendors for distributing malware and involvement in carding attacks:

Blocklisted site -warning

This certainly indicated that a card stealer was present somewhere on our client’s website.

Credit Card Stealer in a Magento Website

In a previous post I outlined the different types of card stealers that can infect ecommerce websites. PHP, being a server side programming language, cannot be seen directly by antivirus programs so this infection must be JavaScript and visible to the browser.

Our first step in locating such an infection is to query the database for the following string:

<script

Here’s an example of why we look for such strings in the database:

JavaScript on widgets

To load JavaScript in the visitor’s browser the attackers usually need to start and end their injection with these tags, and often inject them into the “miscellaneous scripts” or “widgets” section of the admin panel.

While there were plenty of <script tags in our client’s database none of them seemed malicious.

Next was to check the checkout page. Once we loaded an item into the cart and navigated to the checkout we could see the JavaScript loading from that blocklisted domain but it was nowhere to be seen in the source code. Even searching for a common carding function such as atob( that attackers use to base64 encode their payloads returned nothing. So now what?

Upon a manual review of the source of the checkout page my colleague noticed this JavaScript:

JavaScript 1

At first glance it looks like some sort of obfuscated JavaScript related to animation, which isn’t all that uncommon to see and often looks malicious when it’s really quite benign.  However, upon closer inspection we uncovered that this was actually the payload of the infection.

De-Obfuscating Malicious JavaScript

Let’s take apart this code and see what lies behind the obfuscation shall we? First of all, let’s clean up this code so that it’s not all in one big chunk so we can better understand what we are looking at:

The malware can be broken down into three main parts:

  • Obfuscated payload
  • Decryption function
  • Execution and decryption call

In most injections that we see like this we can simply remove the ‘,’ concatenation and run it through a base64 decoder but this injection was more complicated and actually required us to manually log the individual functions.

Once we break down each individual function we can utilise the console.log feature of the browser development console in a sandbox environment like so to de-obfuscate the injection:

Deobfuscating Injections

The “checkout” function is a dead giveaway here and we can see that it is appending JavaScript from the known carding domain pictured above:

Deobfuscating an injection

Security researchers have uncovered roughly 60 carding domains related to these attackers, including some of the following:

blockanalist[.]space 
analiticsblock[.]space
analiticsblock[.]site
analistnetwork[.]space
analistnetwork[.]site
siteanalitics[.]space
siteanalitic[.]space
site-analitics[.]site
site-analitic[.]space
site-analitic[.]site

They are likely registering more as you read this article.

Conclusion

Attackers are always thinking up new ways to hide and obfuscate their malware. This example showed a creative use of animation CSS styles and the onanimationstart event handler. It allowed the attackers to avoid the use of simple <script tags, which is the first thing that us security analysts check when searching for a javascript injection in Magento environments. This isn’t the first time we have seen such a sneaky credit card swiper and it certainly won’t be the last.

If you are an ecommerce website owner I would highly recommend following the steps I laid out in a recent post with respect to securing your website environment, specially the administration panel which is where a lot of these attacks originate. We can also help protect your ecommerce website from attacks and hacks.

Ben Martin is a security analyst and researcher who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than a decade of working with infected websites of every variety with a special focus on eCommerce / credit card theft malware. When Ben isn't slaying malware you might find him producing music, gardening, or skateboarding around Victoria.

Related Tags
Related Categories
You May Also Like