Visbot is one of the oldest Magecart payment skimmers: it steals customer data and credit cards. The first case was documented as early as March 2015. But being publicly discussed did not stop it from spreading. We conducted a global research into 300.000 Magento stores and found active Visbot infections on 6691 stores.
How is that possible? Contrary to other skimming malware, Visbot inject itself in code running on the server. This makes it harder to detect from the outside, as the malware operates completely invisible for anyone but the store owner. And many store owners are not equiped to detect these kind of compromises.
How Visbot works
For devs, here’s a beautified copy
Visbot injects itself into existing PHP code. It stays dormant until data is entered by store visitors (an order or a password). Submitted data is then encrypted and saved to a fake image file. This “image” is then later retrieved by the perpetrator and sold on the black market.
- Stores usually have a thousands of images, so fetching an odd one is not suspicious.
- Encryption ensures competing thieves cannot hijack the payload.
And how did Sansec establish the presence of Visbot on all these stores? If it is so well hidden? The Visbot author made a crucial mistake: s/he added a feature to remotely detect whether the malware is still active. If you send a specific code (a “password”) to an infected store, it will display:
This can be simulated with this command:
curl -LH 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;[email protected])' \ http://your-site.com
In the last week, we observed Visbot controller activity from servers in Sweden (
220.127.116.11), Ukraine (
18.104.22.168) and Germany (
Private data is stored in somewhat random image files. So far we observed these filenames being used:
bkg_btn-close2_bg.gif btn_back_bg_bg.gif btn_cancel_bg_bg.gif left_button_back.gif mage.jpg nav1_off_bg.gif notice-msg_bg.png section_menu_link_bg_bg.gif sort-arrow-down_bg.png
The public key used to encrypt the stole data is included in the malware, but the private key is not. Until it surfaces, it is not possible to decrypt the contents.
We have shared the list of compromised stores with the authorities and major providers, so they can reach out to owners and agencies in order to resolve the situation.
We strongly recommend merchants to implement server-side malware & vulnerability scanning, so they can detect and prevent these attacks.