Payment Data Stolen From Compromised Magento Sites
Magecart is a wider term for several threat groups who compromise e-commerce websites and inject card-skimming scripts on checkout pages to steal customers’ payment details as well as their personal data.
Magento is a PHP-based open-source e-commerce platform that helps programmers create their own e-commerce websites. It is a self-hosted content management system currently owned by Adobe. Approximately 250,000+ websites use Magento to power their e-commerce websites. This platform also allows website owners to add Google Analytics and other third-party integrations such as eBay, PayPal, Mailchimp, etc.
This script allows TAs to steal necessary banking information such as the owner’s name, credit/debit card number, CVV number, and expiry date. It also allows them to exfiltrate data from the compromised website. TAs, typically generate revenue by selling this stolen information on the black market. The sold data is used to make unauthenticated online transactions, transfer money, and buy and ship goods overseas.
The below figure shows an obfuscated skimmer script used for stealing payment information.
The below figure shows the payment page of the compromised Magento site, which prompts visitors to enter their credit/debit card information to process the transaction.
For our analysis, we have taken the following sample hash (SHA256):
After checking for anti-detect, the malware allows the user to enter the payment’s credit/debit card details along with other details such as first name, last name, address, telephone, email ID, etc.
Then, it verifies the length of the following details entered by victims in the payment form and calls an execute() function, as shown in Figure 5.
- #pas_ccnum – The length of the card number should be greater than 14
- #pas_expiry – The length of the Expiry should be equal to 5
- #pas_cccvc – The length of the Security Code should be greater than or equal to 3
The execute() function collects all the input details entered by the victims and pushes them into the array “data,” as shown in the below figure.
Then, it performs the split(), reverse(), join(), encodeURIComponent() and unescape() operations on the JSON string content and converts the results into Base64-encoded format string using the btoa() function.
After that, it exfiltrates the Base64-encoded payment details to the below URL using the POST method.
Online shopping activity is constantly on the rise due to its ease of use, digital transformation, and the sheer convenience. Skimmer groups continue to infect e-commerce sites in large numbers and are improving their techniques to remain undetected. Historically, Magento e-commerce websites have been the most highly targeted victims of skimmer attacks. While using any e-commerce website, ensure that you only use known and legitimate platforms.
Cyble Research & Intelligence Labs actively monitors new malicious campaigns to keep our readers updated with our latest findings about skimming and other types of data-stealing attacks.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Avoid downloading pirated software from warez/torrent websites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Keep your devices, operating systems, and applications updated.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Execution||T1059||Command and Scripting Interpreter|
|Defense Evasion||T1027||Obfuscated Files or Information|
|Discovery||T1518||Security Software Discovery|
|Credential Access||T1417||Input Capture|
|Command and Control||T1071||Application Layer Protocol|
|Exfiltration||T1041||Exfiltration Over C&C Channel|
Indicators of Compromise (IOCs)
|united81[.]com/css/images/28555284977696[.]png||URL||data exfiltration Domain|