Crooks hijack Magento Realex Payments extension to steal payment card data

Pierluigi Paganini March 14, 2017

Cybercriminals hijack Magento Realex Payments extension to steal payment card data. Experts at Sucuri are observing massive attacks.

Cybercriminals continue to target Magento platform to steal credit card data. Crooks have been abusing a payment module to steal payment card data from online shops running on Magento e-commerce platform.

According to experts at security firm Sucuri, the hackers are targeting module is the Realex Payments Magento extension (SF9), that integrates with the Realex Realauth Remote payment gateway.

The extension allows the administrators of Magento installs to process mail and telephone orders by entering the payment details.

The experts highlighted that the Realex Payments extension is not affected by any vulnerability, the attackers are abusing it once compromised the Magento installation.

The researchers at Sucuri noticed that crooks added a malicious function called sendCcNumber() to an SF9 file named Remote.php.

This function gathers personal and financial data entered by users and sends it back to an email address controlled by the attacker.

“In this particular case, we found a malicious function specifically targeting the Magento payment module SF9 Realex. SF9 integrates with the Realex RealAuth Remote and Redirect systems, very popular solutions in the Magento community.” reads the analysis published by Sucuri.

“The malicious function had been injected after the website was compromised through a different vulnerability, therefore the component itself (SF9 Realex) wasn’t the source of the problem.”

Realex Payments extension

The researchers also noted that the crooks leverage binlist[.]net to get the Issuer Identification Numbers (IIN) (The first 6 digits of a credit card number).

The experts at Sucuri have observed  “massive attacks” where hackers used the injection of malicious scripts into Magento websites in an attempt to steal payment card data.

The researchers warn of a spike in the attack against the e-commerce platforms, for this reason, it is essential to keep websites up to date and apply all security updates.

“Magento credit card stealers are indeed on the rise. While the information here is specific to Magento, realize that this can affect any platform that is used for ecommerce,” concluded the analysis at Sucuri. “As the industry grows, so will the specific attacks targeting it. That’s why it is so important to keep your Magento website up to date and apply all the latest security patches!”

Recently, security expert Willem de Groot discovered a new SQL malware targeting online shops running on Magento that was able to hide its malicious code in the website’s database.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Magento, Realex Payments extension)

you might also like

leave a comment