Security researcher Willem de Groot recently unearthed the most successful (so far) skimming campaign, at the center of which is the MagentoCore skimmer. The skimmer has already infected 7,339 Magento stores in the last 6 months, thus becoming the most aggressive campaign discovered by researchers.
The operators of MagentoCore managed to compromise thousands of e-commerce websites running on Magento, injecting the card scraper in their source code.
MagentoCore Skimmer: Who Is Targeted?
Apparently, victims of this skimming malware are some multi-million, publicly traded companies. This may suggest that the campaign is financially quite successful but in fact it is the customers of these companies that have their cards and identities stolen.
“The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months. The group hasn’t finished yet: new brands are hijacked at a pace of 50 to 60 stores per day over the last two weeks”, the researcher said.
MagentoCore Skimmer: How Does It Work?
The script (backup) is recording keystrokes from unsuspecting customers and is sending everything in real-time to the MagentoCore server, which is registered in Moscow, the researcher found out.
The MagentoCore skimmer also contains a recovery mechanism, and it is also designed to add a backdoor to cron.php. This is done so that the malware periodically downloads malicious code which is self-deleted after running, with no traces left.
More technical details:
– The file clean.json (backup) is in fact PHP code which is set to remove any competing malware from the targeted site, searching for ATMZOW, 19303817.js and PZ7SKD.
– The file clear.json (backup) is set to change the password of several common staff user names to how1are2you3.
How to Counter the MagentoCore Skimmer?
Groot has some pretty good advice for admins that have been affected by the aggressive skimming campaign:
1. Find the entry point: how could attackers gain unauthorized access in the first place? Analyse backend access logs, correlate with staff IP’s and typical working hours. If suspicious activity is recorded from staff IPs, it could be that a staff computer is infected with malware, or that the attacker has hijacked an authorized session.
2. Find backdoors and unauthorized changes to your codebase. Usually there are a few, both in frontend/backend code and the database. My opensource Magento Malware Scanner can be useful here.
3. Once you have established all means of unauthorized access, close them all at once.
5. Implement secure procedures that cover timely patching, strong staff passwords etcetera. A good starting point.
In February last year, Willem de Groot analyzed a piece of another evolved Magento malware which was capable of self-healing. This process was possible thanks to hidden code in the targeted website’s database.
This malware strain was not the first to place hidden code in a website’s database but was indeed the first one written in SQL as a stored procedure. This malware was typically capable of harvesting user card information, but was also capable of preserving itself for unspecified period of time.