Get started in 5 minutes!

Case study: how eCommerce hackers silently steal credit card data

Case study: how eCommerce hackers silently steal credit card data

The majority of online stores have never been hacked and, as a result, take a somewhat lax approach to cybersecurity. However, no less than 20% of all online stores get hacked every year, which means it might only be a matter of time until yours becomes the next victim.

This is what happened to one of our clients. Due to his attentiveness - and a bit of luck! - this merchant noticed some abnormalities in his store’s code. He wasn’t using our scanning technology at the time, so he reached out to us for extended research.

Investigating the hack

Counterintuitively, we always insist that you do not make any changes to your website if it has been hacked. If a merchant removes the malware him/herself, the root cause analysis may fail and some vulnerabilities may remain undetected. This could lead to reinfection, as a significant percentage of all stores get reinfected within a matter of days.

Results of the root cause analysis

Typically, we make sure the report of the root cause analysis is similar to what we sent to this specific client:

The root cause was an admin breach on 2021-03-04. This happened at 17.47:50 (z-time) and was done by a foreign ip (DE .**..**) This actor uploaded a backdoor (errors/log.php), through which several uploads were done. As the timestamps of all found malware were after the creation of the backdoor, we can assume this backdoor was used to upload all malware found.

A large amount of foreign POST requests were found on your admin panel. This suggests a brute force attack was performed to obtain user/password information of your backend. In 2021, more than 250.000 such requests were found in your access logs.

In this case, the store owner suffered multiple hacks:

  • 2 credit card skimmers to hijack customer payment data
  • Several backdoor/file uploaders to make sure the credit card skimmers could be reinstalled when removed.

The credit card skimmer silently steals credit card information during the checkout process, so it is likely this hack would have remained under the radar. After all, it is in the hacker’s best interest to harvest as much credit card details as possible while staying under the radar so that it can exploit or sell these data in bulk. Another strategy of hackers is to stay dormant and wait until something big is happening, such as Black Friday, in an attempt to steal more data at once.

What if the merchant failed to detect and solve the malware?

Firstly, the goal of credit card skimmers is rather obvious - to steal money from oblivious customers. If multiple customers find that their credit cards have been charged, it is only a matter of time until they find out which store is responsible for the data theft. On top of this, major hacks in eCommerce are often shared in press releases.

As your reputation is at stake, it is of utmost importance to keep your store safe. Sometimes, even customers reach out to us after they find strange transactions on their credit card.

Secondly, the backdoors are the reason why stores keep getting reinfected if merchants remove the malicious code themselves. To use a brick-and-mortar analogy, removing the malware without solving the vulnerability is like calling the cops on unwanted intruders but consistently refusing to lock the door.

To use a brick-and-mortar analogy, removing the malware without solving the vulnerability is like calling the cops on unwanted intruders but consistently refusing to lock the door.

Many websites find themselves reinfected within months, and stores typically have to clean up malware three to five times a year because they fail to take accurate measures to tackle the problem on their first, or even second attempt.

Thanks, this is great information. Honestly the price is well worth it, more than I was miffed if it had been sitting there for 2 years after the last time. Will work to clean up the admin access and other updates this weekend, thank you for the detailed guide. Well done guys!

— The anonymous merchant

Want to check whether your Magento store has been hacked or will potentially be hacked? Click here for more details about Sansec eComscan. If, for any reason, you are not happy with our solution, you can always use our 30-day money back guarantee.

About eComscan

eComscan is the most advanced malware scanner for Magento stores. Get peace of mind with continuous scans and immediate alerts when something suspicious is found. Read more about our product here.

Stay ahead of eCommerce hacks,
protect your store today!

Sansec forensic experts were the first to document large scale digital skimming in 2015. Since then, we have investigated thousands of hacked stores. Our research of the latest attack vectors protects our customers around the world. Our anti-skimming technology and data are used by merchants, forensic investigators, financial anti-fraud teams and service providers

Try our malware scanner