• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

It Takes 2 Seconds of Silence to Skim a Credit Card

June 7, 2022Matt Morrow

72
SHARES
FacebookTwitterSubscribe

E-commerce websites are valuable targets for attackers. Bad actors often leverage creative techniques to conceal their credit card stealers and gather sensitive credit card information from online storefronts.

A recent investigation for a compromised Magento website revealed a rather interesting injection. The website owner had found an entirely new section on their checkout page which was collecting credit card information — but the administrator confirmed that they didn’t normally accept payments directly from their website and weren’t sure where it had come from.

Analyzing the Compromised Magento Site

A quick analysis of the website revealed the new section that the site owner was concerned about.

New credit card field unexpected by site owner

This new credit card form had been injected within the Payment Information section, directly above the two radial dials for options to purchase via PayStack or Cash on Delivery.

Credit card form injected above paystack purchase optionUpon inspection, we also noticed a strange resource loading in the network traffic.

Strange resource loading in network traffic

Attempting to load this link directly should display raw JavaScript code, but in this case we found a different output — indicating there was a script performing some additional functionality.

Benign response when the script is accessed directly
Benign response when the script is accessed directly

Credit Card Stealer Concealed in Audio File

We found the culprit in one of the core Magento tables.

core magento table adds audio controls

At first glance, this snippet appears to add audio controls to the site — and part of the code actually does just that — but the audio file, loaded from the following GitHub repository, contains only 2 seconds of silence: https://raw.githubusercontent.com/anars/blank-audio/master/2-seconds-of-silence.mp3

In reality, a malicious payload is concealed within this <audio> tag, using the onloadstart event handler to load the JavaScript from hxxps://jqbs-cdn[.]xyz/cdn/jquery-update[.]min[.]js?v=3.0.12.

Malicious JavaScript creates fake payment form, collects payment data, and encrypts it

The malicious JavaScript is responsible for creating a fake payment form, collecting the payment data from it, and encrypting it with base64 in an attempt to circumnavigate any network monitoring that might see credit card details being passed along.

Once the credit card details are harvested, the JavaScript then exfiltrates it to the attacker’s final destination: hxxps://jqbs-min[.]xyz/cdn/verify

This hxxps://jqbs-cdn[.]xyz domain was created February 22nd, 2022 and at this point is relatively new.

Our guess is the attacker chose a silent clip because they didn’t want to give themselves away with any real audio that might bring attention to the attack. Additionally, the attacker hid audio controls — play, stop, etc — that might otherwise be visible.

After the <audio> snippet was removed, the checkout process on the compromised Magento site no longer contained the malicious credit card form.

Conclusion & Mitigation Steps

To mitigate risk of infection, always keep your website components and core CMS files updated with the latest security patches. Magento website owners can use the free scan utility at https://www.magereport.com/ to see a list of critical patches that are missing from their site.

We also encourage website owners to regularly review all admin accounts and employ unique and complex passwords for every account. Ensure that all admin accounts are only assigned to their needed roles and follow the principle of least privilege.

It’s also important to note that new patches are no longer being issued for Magento 1. We strongly encourage Magento 1 users to review our blog post for additional steps you can take to secure and harden your Magento website.

If you suspect that your site has been infected with a credit card skimmer or other malware, we’re always happy to lend a hand and help you clean up the infection.

72
SHARES
FacebookTwitterSubscribe

Categories: Ecommerce Security, Magento Security, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Credit Card Stealers, Hacked Websites, MageCart, Malware

About Matt Morrow

Matt is a Cyber Security analyst who joined Sucuri in 2018. Matt has a long history of working with Linux and Windows servers in a wide context. At Sucuri, Matt's main responsibilities include identifying and removing malware from websites as well as researching emerging malware trends. When Matt isn't focusing his attention there, you will usually find him working on a new piece of music or out in his garden.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Magento Webinar

PCI Compliance Guide

Magento Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.