Payment Data Stolen From Compromised Magento Sites
During our routine threat-hunting exercise, Cyble Research & Intelligence Labs (CRIL) came across a Twitter post wherein a researcher mentioned an interesting JavaScript skimmer created by the Magecart threat group (a consortium of malicious hacker groups who target online shopping cart systems) that steals payment information from the Magento e-commerce website.
Magecart is a wider term for several threat groups who compromise e-commerce websites and inject card-skimming scripts on checkout pages to steal customers’ payment details as well as their personal data.
Magento card-skimming
Magento is a PHP-based open-source e-commerce platform that helps programmers create their own e-commerce websites. It is a self-hosted content management system currently owned by Adobe. Approximately 250,000+ websites use Magento to power their e-commerce websites. This platform also allows website owners to add Google Analytics and other third-party integrations such as eBay, PayPal, Mailchimp, etc.
Magento card skimming is a type of web skimming wherein Threat Actors (TAs) exploit software vulnerabilities in the Magento e-commerce sites to gain access to the website’s source code. Upon gaining access, the TAs inject malicious JavaScript into the compromised website, which keeps an eye on the payment forms & checkout pages.
This script allows TAs to steal necessary banking information such as the owner’s name, credit/debit card number, CVV number, and expiry date. It also allows them to exfiltrate data from the compromised website. TAs, typically generate revenue by selling this stolen information on the black market. The sold data is used to make unauthenticated online transactions, transfer money, and buy and ship goods overseas.
While conducting this analysis, we observed that when a user visits the compromised website, the skimmer loads the payment overlay form from an embedded JavaScript file “media/js/js-color.min.js” and asks the user to enter their payment information.
The below figure shows an obfuscated skimmer script used for stealing payment information.
The below figure shows the payment page of the compromised Magento site, which prompts visitors to enter their credit/debit card information to process the transaction.
Upon entering the payment details in the above form, the JavaScript file collects and processes all the input details given by the victims who are shopping on the compromised website and then sends them to the URL mentioned in the JavaScript.
Technical Analysis
For our analysis, we have taken the following sample hash (SHA256):
fdb135b16975bbee18d3d4d378484934f1cb1b68723969ce9ecf5ae76df253d0, which is an obfuscated JavaScript file.
The below figure shows the obfuscated and de-obfuscated content of the JavaScript file.
Upon executing the JavaScript, it checks for the presence of standard skimmer anti-detect features that prevent it from loading if the browser’s dev tool is open.
After checking for anti-detect, the malware allows the user to enter the payment’s credit/debit card details along with other details such as first name, last name, address, telephone, email ID, etc.
Then, it verifies the length of the following details entered by victims in the payment form and calls an execute() function, as shown in Figure 5.
- #pas_ccnum – The length of the card number should be greater than 14
- #pas_expiry – The length of the Expiry should be equal to 5
- #pas_cccvc – The length of the Security Code should be greater than or equal to 3
The execute() function collects all the input details entered by the victims and pushes them into the array “data,” as shown in the below figure.
Next, the execute() function converts the JavaScript “data” value into a JSON string by using the JSON.stringify() function.
Then, it performs the split(), reverse(), join(), encodeURIComponent() and unescape() operations on the JSON string content and converts the results into Base64-encoded format string using the btoa() function.
After that, it exfiltrates the Base64-encoded payment details to the below URL using the POST method.
- united81[.]com/css/images/<Randomnumber>[.]png
Conclusion
Online shopping activity is constantly on the rise due to its ease of use, digital transformation, and the sheer convenience. Skimmer groups continue to infect e-commerce sites in large numbers and are improving their techniques to remain undetected. Historically, Magento e-commerce websites have been the most highly targeted victims of skimmer attacks. While using any e-commerce website, ensure that you only use known and legitimate platforms.
Cyble Research & Intelligence Labs actively monitors new malicious campaigns to keep our readers updated with our latest findings about skimming and other types of data-stealing attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Avoid downloading pirated software from warez/torrent websites.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Keep your devices, operating systems, and applications updated.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solution on the employees’ systems.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Discovery | T1518 | Security Software Discovery |
| Credential Access | T1417 | Input Capture |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C&C Channel |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| f5dceb6097a46b01202fececfd494de6 8b064625fd8566fe9ed10ebb77f4642025388a18 fdb135b16975bbee18d3d4d378484934f1cb1b68723969ce9ecf5ae76df253d0 | MD5 SHA1 Sha256 | js-color.min.js File |
| united81[.]com/css/images/28555284977696[.]png | URL | data exfiltration Domain |
