Case Study: How eCommerce Hackers Silently Steal Credit Card Data

This is what happened to one of our clients. Due to his attentiveness - and a bit of luck! - this merchant noticed some abnormalities in his store’s code. He wasn’t using our malware scanning technology at the time, so he reached out to us for extended research.

Investigate first, fix later

Counterintuitively, we always insist that you don't make any changes to your website if it has been hacked. If a merchant removes the malware her/himself, the root cause analysis may fail and some vulnerabilities may remain undetected. If the original vulnerability remains, the attacker probably reinfects the web store. Hacking groups often work with automated systems, probing lists of ecommerce websites for known vulnerabilities and automatically reinfecting them again and again.

At Sansec we monitor 150.000 Magento & Adobe Commerce ecommerce websites with our Early Breach Detection Network. According to this data, a significant percentage of all web stores get reinfected within a matter of days. Reinfection happens by exploiting the same vulnerability or because after the initial breach a backdoor was installed. A backdoor is a secret entrance, well hidden in the web store, with the sole purpose of being able to enter again after a superficial cleaning was done. Backdoors are hard to find without a specialized malware scanner, they can "live" in databases, memory, and somewhere in a legitimate file.

Root cause analysis

Typically when we do a root cause analysis, we report in a similar way as we did below in this customer case.

The root cause was an admin breach on 2021-03-04. This happened at 17.47:50 (z-time) and was done by a foreign IP (DE *..*.) This actor uploaded a backdoor (errors/log.php), through which several uploads were done. As the timestamps of all found malware were after the creation of the backdoor, we can assume this backdoor was used to upload all malware found.

A large number of foreign POST requests were found on your admin panel. This suggests a brute force attack was performed to obtain user/password information of your backend. In 2021, more than 250.000 such requests were found in your access logs.

In this case, the merchant suffered multiple hacks:

• An admin password was hacked by doing a brute force attack
• 2 credit card skimmers were installed to hijack customer payment data
• Several backdoor/file uploaders for perpetual access, to make sure the credit card skimmers could be reinstalled when removed.

A credit card skimmer is a piece of software (malware) that silently steals credit card information during the checkout process. It makes a copy of the customer and payment data, such as credit card number, holder name, CVV, and expiry date. It is likely this hack would have remained under the radar for a long time if it wasn't for the merchant's accidental discovery of an abnormality in the code. After all, it is in the hacker’s best interest to remain undetected, to keep on gathering data without being discovered. Another strategy of hackers is to stay dormant and wait until something big is happening, such as Black Friday, in an attempt to steal more data at once.

After the root cause analysis is done, the proces of securing the Mageno store could begin. In this case, the first step was changing all Magento admin passwords.

Worst case scenario

What if the merchant failed to detect and remove the credit card skimmer and backdoors?

Firstly, the goal of credit card skimmers is rather obvious - to steal money from oblivious customers. If multiple customers find that their credit cards have been charged, it is only a matter of time until their bank or card issuer finds out which store is responsible for the data loss. On top of this, major hacks in ecommerce are often shared in press releases or by investigating journalists. As your reputation is at stake, it is of utmost importance to keep your ecommerce website safe. Sometimes, even customers reach out to Sansec after they find strange transactions on their credit cards.

Secondly, the backdoors are the reason why stores keep getting reinfected if merchants remove the malicious code themselves.

To use a brick-and-mortar analogy, removing the malware without solving the vulnerability is like calling the cops on unwanted intruders but consistently refusing to lock the door.

Many websites find themselves reinfected within weeks or months, and stores typically have to clean up malware three to five times a year because they fail to take accurate measures to tackle the problem on their first attempt.

Automating security for Magento and Adobe Commerce

Do you want to check whether your Magento or Adobe Commerce web store has been hacked? Or do you want to scan your ecommerce website for vulnerabilities in Magento, the installed extensions or in your configuration, to prevent an attack from succeeding? All Sansec's research is combined in eComscan, the back-end malware and vulnerability scanner for Magento.

eComscan will give you actionable results, it will show you:

1. the files the hacker has changed and now uses to spy on you and your customers (malware);
2. if your software (Magento, Adobe Commerce, WooCommerce) contains vulnerabilities;
3. if the extensions you use are up to date and/or contain vulnerabilities;
4. hidden entrances (backdoors) hackers place to ensure their continued access;
5. assess your configuration from a security perspective (Magento, Adobe Commerce, server setup).

eComscan is a 5-minute install and will safe you multiple hours per month, having to stay up to date about security news and attack vectors.

• Are you a Magento developer?
• What are the costs of eComscan?
• How can I install eComscan on big clustered Magento or Adobe Commerce setups?

Read more

• Persistent Magento backdoor hidden in XML
• Sansec joins forces with Google's VirusTotal
• Sansec and Europol counter online skimming
• Magento wish list exploit bypasses WAF protection
• Is your store’s newsletter being used for phishing?