14 Aug, 2019

Magento Skimmer in Google Analytics Plugin

A credit card skimmer inserts a request for credit card information and sends the response to the attacker's site. Recently we found another variant on the same trick, using the Google Analytics Pro plugin.
We previously discussed a credit card skimmer that infiltrates Magento sites through their social media icons. It inserts a request for credit card information and sends the response to the attacker's site. Recently we found another variant on the same trick, using the Google Analytics Pro plugin.
Vulnerability Details
The plugin is itself legitimate. It works with the Google Analytics module to collect enhanced e-commerce data from a site's store and provide the information to the analytics service. However, a vulnerability lets criminals alter the plugin's main tracking ID. When the plugin loads, so does the credit card stealer code.

The tracking ID is supposed to be a simple identifier of the form UA-XXXXXX-X, where XXXXXX-X is an ID number unique to the customer. The SQL injection appends JavaScript code to the identifier. The extra code loads the skimmer malware into the browser.

The malware fits tightly into the plugin code, making it difficult to detect. It creates a document element from a foreign URL. This would be suspicious under many circumstances, but as part of the code which loads the plugin, it's plausible.
Malicious injection that loads the Skimmer malware:
The malicious URL is encoded in base64. The injected code inserts the URL's content into the head of the site's DOM. The skimmer itself is highly obfuscated JavaScript. Both the loader and the skimmer are present only at runtime, so it's hard for malware detection software to spot it and identify its purpose.

Injection attacks often take advantage of a lack of input validation. A specially crafted query can modify the JavaScript file, adding the malicious loader.
Credit card theft
Skimmers are a form of malware that collects credit card numbers, Social Security numbers, or other personally identifiable information. Like a physical skimmer on an ATM or card reader, they don't interfere with the legitimate collection of information, so users won't realize anything has gone wrong.

Once it's injected, the skimmer can run indefinitely. Users enter their credit card information, and it appears to go through correctly. Eventually, someone will notice the subtle indications, and the site will suffer serious damage to its reputation. It may be blacklisted for hosting malware. Getting removed from blacklists can be a time-consuming process even after the cause is eliminated.

Skimmers, sometimes known as sweepers or sniffers, cost businesses large amounts of money. Big-name sites such as Ticketmaster and British Airways have fallen victim. Smaller businesses are frequent targets as well, since criminals know they won't always be as well-protected as the big ones.
Removing the infection
The Google Analytics dashboard is the best way to identify and remove the malicious code. As already noted, the harmful code is found only in the tracking ID, not in any JavaScript or PHP file. The administrator can use the Magento dashboard to examine the Google Analytics Pro plugin.

Go to: System > Google Analytics Pro > Google Analytics

The dashboard will show the values of several fields and options, including "Main Tracking ID." The value in this field should look like "UA-XXXXXX-X" if the plugin isn't infected.

If the skimmer has compromised the plugin, the main tracking ID will look roughly like this:
'UA-XXXXXX-X', 'auto');var api_key = atob("base64-encoded-URL")...

The X's will be digits, and "base64-encoded-URL" will actually be a series of meaningless characters. The fix is to edit this field, removing everything except the UA-XXXXXX-X. There should be no punctuation in the field except for hyphens inside the number.

If the underlying vulnerability isn't removed, the problem is likely to recur. Administrators need to check periodically to see if it does. If it comes back, it may be necessary to disable the plugin while working on a more permanent improvement to website security.
Protecting against skimmers and other malware
The skimmer discussed here is just one example of the many threats that regularly face websites. Each unit of software can have weaknesses, and criminals are ready to exploit them to steal information or spread malware. Software that doesn't get regular security updates is especially vulnerable.

Magento is one of the most popular platforms for e-commerce, so it's a favorite target for online criminals. Penetrating a Magento site offers a higher chance of financial gain than penetrating a random WordPress site. Owners of any site that requests or holds personally identifiable information (PII) need to be vigilant. Skimmers can grab credit card information even if the site delegates all the processing to a third-party payment service provider.

Responsible publishers fix vulnerabilities in their code when they learn about them, but there is always a window of danger between the time a weakness is discovered and the time when site owners can install a patch. Sometimes criminals discover the vulnerabilities first, letting them engage in zero-day exploits.

A comprehensive security solution, detecting not just known threats but suspicious patterns of behavior, is necessary if a site is going to stay ahead of its attackers. It needs to include access control, patching, monitoring, and malware removal. Since skimmers send data to a rogue server, monitoring reveals their presence even if the specific malware is unknown.
Quttera website protection services thwart many threats
Quttera's ThreatSign provides website monitoring and threat detection for all website hosting and content management systems. It scans the client site for threats, including skimmers, malvertising, zero-day threats, and more. It uses multi-layered analysis to detect suspicious activity and issue a report pinpointing any problems discovered.

ThreatSign includes server-side and external scanning. Server-side scanning examines PHP, JavaScript, and HTML files on a site for malicious modifications. External scanning catches communication between malware and command-and-control servers so that existing infections can be caught and removed. A Web-based dashboard lets administrators view the current status of their systems from anywhere.

Blacklisting due to malware can seriously damage a site's traffic and visibility in search engines. ThreatSign reports blacklisting of a site so that the administrator can quickly take the steps needed to remove the cause and regain good standing.

Plans are available to suit every business's needs. ThreatSign protection pays for itself in better uptime, reduced need for emergency responses, and increased user confidence.