December 9, 2016 by

Java Keylogger Malware Puts Online Shoppers at Risk

An exploit that forwards credit card details from checkout pages stems from a Java keylogger malware, researchers have discovered. The credit card information is stolen from online checkout forms commonly found on shopping websites. Several dozen websites have been compromised, according to conservative estimates.

Websites running the open-source ecommerce platform by Magento have been compromised by a malware that forwards credit card details over to attackers in real-time.

A blog by Magento Commerce claims that attackers are “likely using” admin privileges or access to a targeted website’s database to implement the exploit. While the open source platform confirmed the exploit of websites powered by its commerce toolkit, it pointed the finger at websites that hadn’t implemented a February 2015 patch, for falling prey to the malware.

An excerpt from the blog read:

No new attack vector has been identified and it appears most impacted sites have not implemented the February 2015 ‘Shoplift Patch’, or the patch was implemented after they were compromised.

While stopping short of addressing the exploit as a malware keylogger or even a spyware keylogger, Magento confirmed that the JavaScript exploit siphoned credit card information over to an external website.

As a result, Magento has moved to remind all of its merchants to regularly implement patches as a part of its “security best practices”, highlighting the incident as a stark reminder to do so.

Further, Magento detailed how merchants can determine if their website has been exploited by the java keylogger malware.

First, admins are advised main page and look for the page source before searching for the following strings.








 The discovery of even a single string means that the website is compromised.

From here, Magento recommends a simple list of instructions to patch a compromised website:

  • Scan your site with a tool like
  • Apply all patches
  • Check for any unknown files in the system
  • Review and remove all unknown admin accounts
  • Change all remaining admin passwords to strong ones (e.g., they should be long, and include symbols, upper and lower case letters, and numbers)
  • Follow best practices outlined in the Magento User Guide 
  • Review the following sections in the Admin configuration for suspicious code. Remove any suspicious code found.
  • Configuration->General->Design->HTML Head->Miscellaneous Scripts
  • Configuration->General->Design->Footer->Miscellaneous HTML
  • Check for existence of the following files on the server. Review server log files for incoming connections to the following URLs. If found, the site is fully compromised and needs a developer to fix it. Those files are used to collect or transfer stolen card numbers:
  • /downloader/Maged/Maged.php
  • /downloader/cache.php
  • /jquery.php
  • /
  • /css.php
  • /opp.php
  • /xrc.php
  • /order.php
  • /jquerys.php
  • /var/extendware/system/licenses/encoder/mage_ajax.php

Note: we have also noticed /js/index.php, a native Magento file, being used to collect stolen information. Make sure to review this file and compare with original.

The complete report by Magento’s security team can be found here.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.