During a recent investigation, a new client came to us reporting that their antivirus had detected a suspicious domain loading on their website’s checkout page. We regularly receive reports like these, as this is a telltale indicator of a credit card skimmer infection.
Our research and remediation teams frequently find credit card skimmers on Magento websites, and more recently on WordPress — however, in this case the customer was using a lesser known eCommerce solution known as X-Cart. W3techs.com estimates X-Cart to have a CMS market share of less than 0.1%, whereas they rank WordPress and Adobe-based platforms such as Magento with a 64% and 1.6% market share respectively.
In the spirit of security education, we’ll outline the process used to manually investigate and detect a credit card skimmer on a compromised X-Cart environment, along with some steps you can take to mitigate risk for your own sites.
Manual Detection of the X-Cart Credit Card Stealer
Nearly every modern web browser offers a developer tools functionality, which can be used to gain additional insight into exactly what’s happening when you’re visiting a website. The Network feature handily logs every single request your browser makes when visiting a given page — and by using this, we can see what’s going on “in the background”.
Our client had already identified the malicious domain as hxxps://metahtmlhead[.]com, which helped give us a starting point for our investigation. The next step was to identify any malicious requests in our developer tools.
Once we’d identified the malicious request in our developer tools, we were able to check the request initiator in the same window to determine exactly which line of code the request originated from.
For example, an eval() statement loading from line 5 of a website’s index file would appear like this:
By following the chain on the suspicious requests loading on the customer’s cart.php file, we identified the infection loading from an eval() statement buried roughly 3,000 lines into the website’s HTML source code:
With the originating code in hand, this allows us to search the website files and database to determine exactly where it’s placed on the server. A search for the string eval(decodeURIComponent(‘(function yielded results: this infection had been appended to a core X-Cart file with the path ./skin/common_files/check_cc_number_script.tpl.
The template file check_cc_number_script.tpl was originally intended to validate the inputted credit card details — to ensure, for example, the CVV field wasn’t left empty before the checkout was submitted. The attacker’s injection of malicious code into this file is all that’s needed to cause the website to send any credit card details inputted into the checkout page to a malicious server.
Automated Detection & Mitigation Steps
There’s no doubt that manually detecting and removing a credit card skimmer can be a lot of work, and it’s not feasible for a business owner to dedicate hours per day manually keeping tabs on everything that’s loading on their website.
If you’re looking for an automated solution, Sucuri’s website security monitoring scans your environment on a routine basis and looks for credit card skimming infections just like these. Whenever issues are discovered, you’ll be notified immediately via our customizable alert system so that investigation and remediation can begin.
For site owners who need a hand with cleanup, our website malware removal services can assist you with detecting and removing any credit card skimmers, backdoors, or other malware infections found in your site’s environment.