Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Researchers from Sucuri have discovered a new method of data theft on the Magento e-commerce platform. Attackers use Swap files (swap files) to inject persistent spyware that steals credit card data. The identified implementation method dramatically increases the survivability of malicious code in an infected system, allowing it to survive numerous deletion attempts without any problems.
In the considered malicious campaign, researchers found a script containing encoded variables and strings on the checkout page. Decoding showed that the script was tracking credit card data. When the checkout button was clicked, the script collected the entered data using the querySelectorAll function.
The attackers used the domain "amazon-analytical [.] com" to transmit the stolen data. This domain was registered in February 2024 and has already been used in other credit card theft campaigns. Using popular brands in domain names helps attackers avoid suspicion and detection.
Further investigation revealed that the file "bootstrap.php" the Magento site has been completely replaced by criminals. Decoding the content showed the same malicious script that was detected on the checkout page. The malicious code used the curl function to transmit data to an external server.
Removing the malware proved to be a difficult task. Despite replacing the infected file with a clean version and then clearing the caches, the malicious script continued to load on the checkout page. And even when viewing the file directly via SSH, it seemed to be clean, but malware cleaning tools still showed the presence of infection.
The reason for this was a hidden version of the file "bootstrap.php", created when editing via SSH. This temporary Swap file contained the same malicious code as the original file. Deleting the hidden Swap file and re-clearing the caches allowed us to finally clear the checkout page.
This case highlights the importance of comprehensive security measures that go beyond surface scans and clean-ups. Limiting administrative access to trusted IP addresses, regularly updating content management systems and plugins, and using firewalls can help reduce the risk of infection.
For those users or administrators who have encountered a similar problem, it is recommended to contact security specialists or use the guide for self-cleaning of infected sites written by Sucuri experts.
• Source: https://blog.sucuri.net/2024/07/attackers-abuse-swap-file-to-steal-credit-cards.html
• Source: https://sucuri.net/guides/how-to-clean-a-hacked-website/
In the considered malicious campaign, researchers found a script containing encoded variables and strings on the checkout page. Decoding showed that the script was tracking credit card data. When the checkout button was clicked, the script collected the entered data using the querySelectorAll function.
The attackers used the domain "amazon-analytical [.] com" to transmit the stolen data. This domain was registered in February 2024 and has already been used in other credit card theft campaigns. Using popular brands in domain names helps attackers avoid suspicion and detection.
Further investigation revealed that the file "bootstrap.php" the Magento site has been completely replaced by criminals. Decoding the content showed the same malicious script that was detected on the checkout page. The malicious code used the curl function to transmit data to an external server.
Removing the malware proved to be a difficult task. Despite replacing the infected file with a clean version and then clearing the caches, the malicious script continued to load on the checkout page. And even when viewing the file directly via SSH, it seemed to be clean, but malware cleaning tools still showed the presence of infection.
The reason for this was a hidden version of the file "bootstrap.php", created when editing via SSH. This temporary Swap file contained the same malicious code as the original file. Deleting the hidden Swap file and re-clearing the caches allowed us to finally clear the checkout page.
This case highlights the importance of comprehensive security measures that go beyond surface scans and clean-ups. Limiting administrative access to trusted IP addresses, regularly updating content management systems and plugins, and using firewalls can help reduce the risk of infection.
For those users or administrators who have encountered a similar problem, it is recommended to contact security specialists or use the guide for self-cleaning of infected sites written by Sucuri experts.
• Source: https://blog.sucuri.net/2024/07/attackers-abuse-swap-file-to-steal-credit-cards.html
• Source: https://sucuri.net/guides/how-to-clean-a-hacked-website/
