December 9, 2016 by

Java Keylogger Malware Puts Online Shoppers at Risk

An exploit that forwards credit card details from checkout pages stems from a Java keylogger malware, researchers have discovered. The credit card information is stolen from online checkout forms commonly found on shopping websites. Several dozen websites have been compromised, according to conservative estimates.

Websites running the open-source ecommerce platform by Magento have been compromised by a malware that forwards credit card details over to attackers in real-time.

A blog by Magento Commerce claims that attackers are “likely using” admin privileges or access to a targeted website’s database to implement the exploit. While the open source platform confirmed the exploit of websites powered by its commerce toolkit, it pointed the finger at websites that hadn’t implemented a February 2015 patch, for falling prey to the malware.

An excerpt from the blog read:

No new attack vector has been identified and it appears most impacted sites have not implemented the February 2015 ‘Shoplift Patch’, or the patch was implemented after they were compromised.

While stopping short of addressing the exploit as a malware keylogger or even a spyware keylogger, Magento confirmed that the JavaScript exploit siphoned credit card information over to an external website.

As a result, Magento has moved to remind all of its merchants to regularly implement patches as a part of its “security best practices”, highlighting the incident as a stark reminder to do so.

Further, Magento detailed how merchants can determine if their website has been exploited by the java keylogger malware.

First, admins are advised main page and look for the page source before searching for the following strings.

eval(atob(

regexp(“checkout

Regexp(‘checkout

Regexp(“onepage

Regexp(‘onepage

Regexp(“onestep

Regexp(‘onestep

 The discovery of even a single string means that the website is compromised.

From here, Magento recommends a simple list of instructions to patch a compromised website:

  • Scan your site with a tool like magereport.com
  • Apply all patches
  • Check for any unknown files in the system
  • Review and remove all unknown admin accounts
  • Change all remaining admin passwords to strong ones (e.g., they should be long, and include symbols, upper and lower case letters, and numbers)
  • Follow best practices outlined in the Magento User Guide 
  • Review the following sections in the Admin configuration for suspicious code. Remove any suspicious code found.
  • Configuration->General->Design->HTML Head->Miscellaneous Scripts
  • Configuration->General->Design->Footer->Miscellaneous HTML
  • Check for existence of the following files on the server. Review server log files for incoming connections to the following URLs. If found, the site is fully compromised and needs a developer to fix it. Those files are used to collect or transfer stolen card numbers:
  • /downloader/Maged/Maged.php
  • /downloader/cache.php
  • /jquery.php
  • /jquery.pl
  • /css.php
  • /opp.php
  • /xrc.php
  • /order.php
  • /jquerys.php
  • /var/extendware/system/licenses/encoder/mage_ajax.php

Note: we have also noticed /js/index.php, a native Magento file, being used to collect stolen information. Make sure to review this file and compare with original.

The complete report by Magento’s security team can be found here.

Image credit: Pexels.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.