Thousands of Magento Stores Still Infected with Keyloggers

Posted on the 23rd November 2015

More than 3,500 Magento-powered online stores are infected with a server-side keylogger that steals customer credit card details and passes them on to servers owned by a third party. The keylogger campaign has been going on for several months, and has yet to be fully eradicated.

According to, the first signs of the campaign became noticeable at the end of April of this year. The attackers have used a piece of JavaScript code which they were able to inject into the databases of a number of stores using a security vulnerability. When a customer visits the checkout page of an infected store, the JavaScript code will then log all data that the user enters, as they enter it. The user will be completely unaware of this happening, since the information is submitted via AJAX to servers, including one on a domain called ‘’.

Magento Only

At present, the attacks are only happening on Magento websites; other shopping carts have not been targeted. Magento issued a patch as soon as the vulnerability was discovered, but there are thousands of store owners who have not yet installed the patch, and they are, essentially, to blame for the problems.

Magento users are being urged to check whether or not their stores are patched up to date, and to look at their checkout pages to determine whether they contain the malicious code. The sheer number of stores that have been compromised has led security experts to suspect that there has been an automation tool used to discover and exploit as many stores as possible. This is not something that is the work of a few ‘script kiddies’ acting independently, but rather a large-scale operation.

The attack has gone undiscovered because of the lack of knowledge relating to the exploit, and also the number of users of Magento Community Edition who simply do not have the confidence to update their websites.

If you have not yet updated your website, and you are concerned that you will end up suffering from data loss or unnecessary downtime when you do, think for a moment about how much damage credit card information leaks would do to your brand. It is better to invest an afternoon into having an experienced webmaster update your website for you than it is to take chances with the security of your customers’ personal and financial data.

If you want to talk to Radweb about fixing or protecting your store, get in touch.