Magento payment card stealers are being used in the wild

Pierluigi Paganini June 27, 2015

The security researchers at Sucuri firm discovered a malicious code that could be used to steal payment card data from Magento platform.

Security experts at Sucuri have uncovered a new method used by criminals to syphon payment card data from websites based on the Magento e-commerce Platform.

Researchers explained that attackers can collect any data submitted by a user to Magento stealing credit card data. Peter Gramantik, a senior malware researcher at Sucuri, explained that criminals are able to inject a malicious code into Magento to steal payment card data, but it’s still unclear how they do it.


The attackers are able to collect all the POST requests, parse them with the malicious code that collect payment card information, and encrypt them with a public encryption key.

“It seems though that the attacker is exploiting a vulnerability in Magento core or some widely used module/extension,” wrote Gramantik. “If the structure of the POST parameters match, the attacker stores them all — nothing more, but nothing less,” Gramantik wrote. “They’ve got all the billing details processed by the infected site.”

The stolen payment card data is then saved in a fake image file that the attacker can download and decrypt later.

$y0 = ‘/home/cloudpanel/htdocs/';

“Now they have all the billing information processed by the Magento e-commerce website,” he wrote. “It’s all nicely packed, formatted and collected.”

The researchers have spotted a sample of the malicious code used to steal data from Magento by injecting code into the Magento’s Checkout Module. In the sample analyzed by the Sucuri, the payment card data is collected before a transaction is processed than is sent in plain text via email back to the attacker.

“The code is pretty clear – it’s a simple mailer. It doesn’t modify the data, just steals them “in the middle” of the transaction processing so that it’s not detected. All the data which should be secured is sent in a plaintext form to the attacker’s email.” states Sucuri.

The experts highlight that attackers have a deep knowledge of the Magento platform.

“The attacker knows how the module works and the code it’s built on; all he needed to do was use the module’s own variable in which all the sensitive data is stored unprotected.” said Gramantik.

The problem resides in the way Magento handles payment data, despite it encrypts the information there is “a very short period of time when Magento handles sensitive customer information in an unencrypted format,” states a blog post written by Sinegubko.

Be aware, Magento payment card stealers are being used in the wild.

Pierluigi Paganini

(Security Affairs – Magento,  cybercrime)

you might also like

leave a comment