Magento stores targeted by self-healing malware that steals credit card details

Moral of the story: database analysis is your friend.

Magento stores targeted by self-healing malware that steals credit card details

A newly discovered malware attack manages to restore itself in its ongoing campaign against Magento-powered online stores.

Discovered by Magento/PHP developer Jeroen Boersma, the malware lies in wait until a user places an order on an infected website. It then executes itself before Magento, which is written in PHP, has a chance to assemble the webpage.

To set the record straight, this malware isn't the first program that has targeted Magento websites. There are lots of examples of JavaScript-based malware that compromise online purchases by injecting themselves into the header and footer HTML definitions in a database. Fortunately, researchers can easily remove these malicious samples by cleaning those records.

But this malware is something different.

Willem de Groot, co-founder at Byte BV, told Bleeping Computer as much:

"Malware was stored in [databases] before, but only as text. You could scan a dump of your database and know whether it contains malicious stuff. But now, the actual malware is executed inside the DB. This is the first time I see malware written in SQL. Previously, malware was written in JS or PHP."

Infection occurs when attackers brute force a shop's /rss/catalog/notifystock/ URL. Once the malware has successfully installed itself, it executes a SQL query to check for its code in the header, footer, copyright, and Magento CMS blocks. If it doesn't find anything, the malware reasserts itself by re-inserting its code.

At that point, the malware makes off with a customer's credit card information.

Database trigger

De Groot is troubled by this development. He feels there's only one solution. As he explains in a blog post:

"This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis."

To protect against this malware, site administrators should search their Magento shop for triggers that contain suspicious SQL code like admin, js, script, or the <> HTML tags. If they find anything suspicious, they can delete it using this code:

echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console

Admins could also use the MageReport and Willem de Groot's Malware Scanner tools to help detect and block the malware.

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Vanja Svajcer, and Carole Theriault.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, ,

Leave a reply

1 Comment on "Magento stores targeted by self-healing malware that steals credit card details"

Notify of
avatar
Sort by:   newest | oldest | most voted
Michael Ponzani
Visitor
Michael Ponzani

Duckduckgo also has a little security tip newsletter. Its interesting and very short

wpDiscuz