911 Hack Removal

How to Remove OpenCart & Magento Credit Card Malware Hack?

Updated on: February 9, 2022

How to Remove OpenCart & Magento Credit Card Malware Hack?

Magento & OpenCart Credit Card Hijack

Credit Card malware or Credit Card Hijack is when malicious PHP/JavaScript code is injected into Magento and OpenCart shops which allow hackers to intercept credit card data. This new way of credit card fraud has been undetected for 6 months. There are many cases in which hackers have targeted Magento Payment Security.

What is Credit Card malware hijack? What are its symptoms?

With the increasing popularity of e-commerce platforms like Magento and OpenCart, the cases of malware infections have also risen.  Hackers and cybercriminals have been modifying the core files of these CMSs to steal the credit card information of store customers. Some of the symptoms of such kind of a hack are as follows:

  • Credit Cards of customers have been used to make fraudulent transactions
  • Errors while trying to purchase items on the store
  • The checkout process is slow and gets stuck
  • Unknown popups & messages on the website
  • Logging in to the admin area takes longer
Credit card hack Magento, Opencart, prestashop & woocommerce

Get the ultimate Magento Security checklist with 300+ test parameters

Here is a screenshot of malicious code injected by a hacker

Malicious code injected by a hacker to get credit card details in magento

When a customer is on the checkout page, it encodes all the data and sends it over to the hacker’s server. Here is a screenshot of the encoded credit card malware code

Encoded credit card hack malware code

Consequences of the Payment Gateway Hack

This hack is very targeted in nature mainly affecting e-commerce stores running Magento and OpenCart stores. The malware captures the following  sensitive information and sends it to hacker-controlled servers:

  1. Credit Card (CC) information
    1. Credit Card Number
    2. Credit Card Security Code (CVV)
    3. Expiry Date
  2. Login activity of Magento Administrators is sent to hackers
  3. Personally identifiable information of users
    1. Account Password
    2. Customer IP address
    3. Billing Name
    4. Email
    5. Address
    6. Phone number
    7. Date of Birth
  4. Server Information of your Magento/OpenCart store

A web application firewall is must needed security for your e-commerce store. It will monitor all the traffic coming to your website and allow only legitimate request to your web server. Secure your e-commerce website now with Astra.

Want to secure your Magento store? We can help!

Astra has helped thousands of Magento stores prevent cyberattacks on real time.
Get Started
Starting from $25/month

How to fix the credit card malware hack in your Magento/OpenCart store?

This can get a little tricky as most malware scanners miss this kind of malware. The reason being that such hacks are very targeted and can vary from store to store.

Credit Card Hijack:  Step 1: Check core system files that may have been modified

We’ve compiled a list of files where we have found the malicious code. Login to your server and check the following files if they have been recently modified:

Magento 1.9.X

  • app/code/core/Mage/XmlConnect/Block/Checkout/Payment/Method/Ccsave.php
  • app/code/core/Mage/Customer/controllers/AccountController.php
  • app/code/core/Mage/Payment/Model/Method/Cc.php
  • app/code/core/Mage/Checkout/Model/Type/Onepage.php

OpenCart 1.5 / 2.0

  • catalog/controller/extension/payment/pp_payflow.php
  • catalog/controller/extension/payment/pp_pro.php
  • catalog/controller/extension/payment/authorizenet_aim.php
  • catalog/controller/extension/payment/sagepay_us.php
  • catalog/controller/extension/credit_card/sagepay_direct.php

A snippet of the malicious code can be seen below where sensitive customer information is sent using cURL in PHP.

Magento Credit Card Malware - Details Stolen

Get the ultimate Opencart security checklist with 300+ test parameters

Credit Card Hijack: Step 2: Check recently modified files

Login to your web server via SSH and execute the following command to find the most recently modified files:

find /path-of-www -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r

This commend would return the paths to the recently modified files. Open them in your text editor and check if they look suspicious. Sometimes hackers inject JS codes in the core files, like the one hosted in this link here – https://smartnetworkclick.com/js/analytics.min.js

If you are an Astra customer, you would have received an email telling you about malicious file changes.

Credit Card Hijack: Step 3: Search for web shell, backdoor files on the server

To retain continued access to the server, a hacker may upload web-shells or backdoors which will allow them to upload new malicious files at a later stage. Same as the above step, log in to the server via SSH and run the following command:

find /var/www -name "*.php" -exec grep -l "$_FILES\[" {} \;

Open each of the files shown in the above search and trying to find code which looks like this:

CC Hack Backdoor Code Snippet

Steps to prevent Credit Card Hijack & Identify the cause Hack

  1. Update your OpenCart/WordPress website to the latest version: To fix any known security issues in the CMS core
  2. Scan file uploads for malware: So that malicious shell files are not uploaded to the server. (You can enable this module in your Astra Dashboard)
  3. Change the username and password of admin accounts: So that hacker does not continue to have access to the website after malware cleanup
  4. Change database password: Such that hacker is unable to directly connect to the database
  5. Scan Server Logs (Access & Error): You may find unfamiliar or gibberish errors in the logs which may indicate the source & time of the hack
  6. Prevent future attacks with a Website Firewall: Another option to prevent the prevent Magento Malware infections is to use a Website Firewall, like Astra. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website.

See our Intelligent Firewall and Malware Scanner in action

Stop bad bots, SQLi, RCE, XSS, CSRF, RFI/LFI and thousands of cyberattacks and hacking attempts.
Try Free Trial
Let us know if you like it 😃

Ananda Krishna

Ananda Krishna is the co-founder & CTO of Astra Security, a SaaS suite that secures businesses from cyber threats. He has been acknowledged by the Indian Navy, Microsoft, United Airlines, etc. for finding critical security vulnerabilities in their systems. Winner of the Best Security Product at Global Conference on Cyberspace 2017 (awarded by Narendra Modi, Prime Minister of India) & French Tech Ticket, Paris (awarded by François Hollande, former President of France). At Astra he's building an intelligent security ecosystem - web application firewall (WAF), malware detection & analysis, large scale SaaS applications, APIs & more. He's actively involved in the cybersecurity community and shared his knowledge at various forums & invited talks.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany