We previously discussed a credit card skimmer that infiltrates Magento sites through their social media icons. It inserts a request for credit card information and sends the response to the attacker's site. Recently we found another variant on the same trick, using the Google Analytics Pro plugin.
The plugin is itself legitimate. It works with the Google Analytics module to collect enhanced e-commerce data from a site's store and provide the information to the analytics service. However, a vulnerability lets criminals alter the plugin's main tracking ID. When the plugin loads, so does the credit card stealer code.
The malware fits tightly into the plugin code, making it difficult to detect. It creates a document element from a foreign URL. This would be suspicious under many circumstances, but as part of the code which loads the plugin, it's plausible.
Malicious injection that loads the Skimmer malware:
Credit card theft
Skimmers are a form of malware that collects credit card numbers, Social Security numbers, or other personally identifiable information. Like a physical skimmer on an ATM or card reader, they don't interfere with the legitimate collection of information, so users won't realize anything has gone wrong.
Once it's injected, the skimmer can run indefinitely. Users enter their credit card information, and it appears to go through correctly. Eventually, someone will notice the subtle indications, and the site will suffer serious damage to its reputation. It may be blacklisted for hosting malware. Getting removed from blacklists can be a time-consuming process even after the cause is eliminated.
Skimmers, sometimes known as sweepers or sniffers, cost businesses large amounts of money. Big-name sites such as Ticketmaster and British Airways have fallen victim. Smaller businesses are frequent targets as well, since criminals know they won't always be as well-protected as the big ones.
Removing the infection
Go to: System > Google Analytics Pro > Google Analytics
The dashboard will show the values of several fields and options, including "Main Tracking ID." The value in this field should look like "UA-XXXXXX-X" if the plugin isn't infected.
If the skimmer has compromised the plugin, the main tracking ID will look roughly like this:
'UA-XXXXXX-X', 'auto');var api_key = atob("base64-encoded-URL")...
The X's will be digits, and "base64-encoded-URL" will actually be a series of meaningless characters. The fix is to edit this field, removing everything except the UA-XXXXXX-X. There should be no punctuation in the field except for hyphens inside the number.
If the underlying vulnerability isn't removed, the problem is likely to recur. Administrators need to check periodically to see if it does. If it comes back, it may be necessary to disable the plugin while working on a more permanent improvement to website security.
Protecting against skimmers and other malware
The skimmer discussed here is just one example of the many threats that regularly face websites. Each unit of software can have weaknesses, and criminals are ready to exploit them to steal information or spread malware. Software that doesn't get regular security updates is especially vulnerable.
Magento is one of the most popular platforms for e-commerce, so it's a favorite target for online criminals. Penetrating a Magento site offers a higher chance of financial gain than penetrating a random WordPress site. Owners of any site that requests or holds personally identifiable information (PII) need to be vigilant. Skimmers can grab credit card information even if the site delegates all the processing to a third-party payment service provider.
Responsible publishers fix vulnerabilities in their code when they learn about them, but there is always a window of danger between the time a weakness is discovered and the time when site owners can install a patch. Sometimes criminals discover the vulnerabilities first, letting them engage in zero-day exploits.
A comprehensive security solution, detecting not just known threats but suspicious patterns of behavior, is necessary if a site is going to stay ahead of its attackers. It needs to include access control, patching, monitoring, and malware removal. Since skimmers send data to a rogue server, monitoring reveals their presence even if the specific malware is unknown.
Quttera website protection services thwart many threats
Quttera's ThreatSign provides website monitoring and threat detection for all website hosting and content management systems. It scans the client site for threats, including skimmers, malvertising, zero-day threats, and more. It uses multi-layered analysis to detect suspicious activity and issue a report pinpointing any problems discovered.
Blacklisting due to malware can seriously damage a site's traffic and visibility in search engines. ThreatSign reports blacklisting of a site so that the administrator can quickly take the steps needed to remove the cause and regain good standing.
Plans are available to suit every business's needs. ThreatSign protection pays for itself in better uptime, reduced need for emergency responses, and increased user confidence.