Magento websites are under attack from a new credit card harvesting technique designed to evade detection while harvesting payment card data from major payment processor iframes - a new malware called Magento Cloud Harvester.
The Forensic Team at Foregenix are regularly finding new techniques that attackers are adopting in attempts to remain undetected by victim websites – and it seems they have added a new tactic to attack Shoplift-affected eCommerce websites. Not only are they changing the way that traditional cardholder data harvesting methods are executed – the malicious payload is now retrieved from an external resource.
The basics of the standard client-side attack are pretty straight forward and follow this process:
- An attacker exploits the Magento Shoplift vulnerability to gain access to the website through SQL injection.
- This access permits them to insert data or code (malware) directly into the site's database. Magento has the ability to render content directly from the database and this situation means attackers can push malicious code into an eCommerce website that never actually "touches the disk" directly. As such, normal (file system based scanning) attempts to detect the compromise would be found lacking — the analysis has to consider the database content.
What does the script do and how does it work?
In order for Cloud Harvester to work, the attacker needs to know which payment processing service the targeted organisation is using. While this particluar website uses a well known UK payment gateway for payment processing, this code could work for “all” eCommerce payment services and is certainly no reflection on the security of the actual payment processor. This attack is only possible by exploiting vulnerabilities in an insecure website.
If the attacker has access to the backend administration panel, they can easily view which modules are implemented and are able to adjust the code below as appropriate. Similarly with one of the myriad web shells that we frequently see deployed to compromised sites, reviewing the site’s source code in this manner will produce the same results.
Once injected, the Cloud Harvester malicious code sits within the database that runs behind Magento; so, when a page is generated certain aspects of the database are ‘pulled’, including the header and the footer. In this instance the header is where the script is stored and then executed upon serving the web page to the customer. Once the script has been executed, it creates and renders its own payment form. The above screen shot provides an example of the code generating the fake payment form.
Within the script itself there is a call to an external URL where it will pull down the remainder of the malicious content which allows the attacker to harvest the data that has been entered into the pseudo payment form by the customer.
The code above is an extract from the payload called from the external URL. This code opens a connection to the attacker's drop site using the XMLHttpRequest() method and the entire contents of the POST request from the victim’s website/pseudo payment form are presented to what can only be assumed is a system within the control of the attacker.
How is this uploaded to a website?
Upon saving the changes within the Magento administration panel, the malware is then stored into the database itself. This makes it harder to detect - there are no file changes to help identify what has changed or is different, and it is also not stored on the web server itself, which makes any internal scanning oblivious to its existence.
What can you do?
In order to identify the above malicious script within your Magento ecommerce environment please see a list of recommendations below:
- Run a scan on your website at webscan.foregenix.com. We will check your website using one of the most comprehensive website malware detection scanners available:
- Internal scan - scanning files that are not visible from an external perspective. This is our most comprehensive malware/harvester scanner.
- External Scan – this scans for known issues that are visible externally. While it will identify Cloud Harvester Malware, it is not as comprehensive as the internal scan.
- Load a webpage. Right click on the browser window and then select view the page source. Review the content, looking for heavily obfuscated code. If you see something similar to the code below then there is a good chance that the website has been breached with Cloud Harvester Malware.
- Check to ensure that there are no unknown users, especially admin users in the database. If there are, then this is already a sign that you have may have been breached and an unknown user has access to your system. The profiles should be removed from the database straight away and all credentials system wide should be changed.
- Log into the Magento administration panel and head to System → Configure → Design→ HTML Head “Miscellaneous Scripts“ box in order to see if there is any malicious content. (Please refer to the screenshot below.)
- Log into the Magento administration panel and head to System → Configure → Design→ Footer “Miscellaneous Scripts“ box in order to see if there is any malicious content.
- This can also be done from the Magento administration panel.
- Ensure that the URL for the Administration Panel is not named ‘admin’ or anything similar. Use a unique/random – non-obvious naming convention in order to prevent attackers from guessing where it is or even automated scanners from identifying the administration page.
- Lock down access to the Administration Panel to known IP addresses.
- Verify that your Magento installation is fully patched and up to date in order to help prevent compromises/unauthorised access.
- For more Magento security best practices, please visit https://magento.com/security/best-practices/security-best-practices.