Security researcher Willem de Groot recently unearthed the most successful (so far) skimming campaign, at the center of which is the MagentoCore skimmer. The skimmer has already infected 7,339 Magento stores in the last 6 months, thus becoming the most aggressive campaign discovered by researchers.
The operators of MagentoCore managed to compromise thousands of e-commerce websites running on Magento, injecting the card scraper in their source code.
MagentoCore Skimmer: Who Is Targeted?
Apparently, victims of this skimming malware are some multi-million, publicly traded companies. This may suggest that the campaign is financially quite successful but in fact it is the customers of these companies that have their cards and identities stolen.
“The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months. The group hasn’t finished yet: new brands are hijacked at a pace of 50 to 60 stores per day over the last two weeks”, the researcher said.
MagentoCore Skimmer: How Does It Work?
First, the skimming malware is gaining access to the control panel of the targeted e-commerce website, in most cases via brute force attacks. Once the password is broken and the threat actor is in, an embedded piece of JavaScript is added to the HTML template.
The script (backup) is recording keystrokes from unsuspecting customers and is sending everything in real-time to the MagentoCore server, which is registered in Moscow, the researcher found out.
The MagentoCore skimmer also contains a recovery mechanism, and it is also designed to add a backdoor to cron.php. This is done so that the malware periodically downloads malicious code which is self-deleted after running, with no traces left.
More technical details:
– The file clean.json (backup) is in fact PHP code which is set to remove any competing malware from the targeted site, searching for ATMZOW, 19303817.js and PZ7SKD.
– The file clear.json (backup) is set to change the password of several common staff user names to how1are2you3.
How to Counter the MagentoCore Skimmer?
Groot has some pretty good advice for admins that have been affected by the aggressive skimming campaign:
1. Find the entry point: how could attackers gain unauthorized access in the first place? Analyse backend access logs, correlate with staff IP’s and typical working hours. If suspicious activity is recorded from staff IPs, it could be that a staff computer is infected with malware, or that the attacker has hijacked an authorized session.
2. Find backdoors and unauthorized changes to your codebase. Usually there are a few, both in frontend/backend code and the database. My opensource Magento Malware Scanner can be useful here.
3. Once you have established all means of unauthorized access, close them all at once.
4. Remove the skimmer, backdoors and other code. Revert to a certified safe copy of the codebase, if possible. Malware is often hidden in default HTML header/footers, but also in minimized, static Javascript files, hidden in deep in the codebase. You should check all HTML/JS assets that are loaded during the checkout process.
5. Implement secure procedures that cover timely patching, strong staff passwords etcetera. A good starting point.
In February last year, Willem de Groot analyzed a piece of another evolved Magento malware which was capable of self-healing. This process was possible thanks to hidden code in the targeted website’s database.
This malware strain was not the first to place hidden code in a website’s database but was indeed the first one written in SQL as a stored procedure. This malware was typically capable of harvesting user card information, but was also capable of preserving itself for unspecified period of time.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: