Attackers Targeting Magento For Credit Card Details

Posted on the 21st March 2017

Attackers are still focusing their efforts on Magento, the ecommerce platform, as a way of obtaining credit card information from shoppers. The latest attack is a malicious function that has been embedded into one of the platform’s modules, so that it can be used to steal credit card information.

The code was injected into one of the script files for SF9 Realex, which stores credit card data for the one-click checkout that is used by repeat customers. The module can interact with the Realex RealAuth Remote and Redirect features, which are popular solutions amongst Magento store owners.

The ‘sendCCNumber()’ function is used to reroute credit card information that the customer enters into a Magento storefront, and send it to an attacker’s email address. The data is JSON encoded and sent to the attacker’s inbox, and the victim is unaware that anything untoward has happened.

The attacker then uses binlist.net to find out the bank that the card is associated with, so that it can start using the details.

Attackers are going to greater and greater lengths to obtain card data, especially with ecommerce platforms such as Magento. Right now, it may feel like Magento card thefts are scarily common, but the fact is that the attackers could be going for any platform. It is important to remember that Magento is not inherently insecure – rather, it is simply one of the industry standard platforms, so it is natural that there would be more attacks targeting it.

The vulnerability is not with Magento itself. Attackers are using a different vulnerability in the website where the platform is being hosted, and they then inject the script and use it to take over SF9 Realex. There are also other man in the middle attacks in operation, and even methods for scraping credit card details using publicly viewable image files to anonymously get access to the information.

Researchers are working with RiskIQ to monitor attacks such as the ones that have been uncovered recently. The company said that the attacks appear to be originating from a single hacking group, which is not just targeting Magento, but other ecommerce platforms such as OpenCart and Powerfront CMS, in particular with web-based keyloggers. It is important that you keep updating your website every time there is an update – especially a SUPEE security patch for Magento, but plugin updates as well. These updates will help you to keep your site safe and secure.