Visbot malware found on 6691 stores [analysis]
Visbot does what you would expect from any self-respecting malware: steal customer data and credit cards (aka skimming). And it is not even new: the first case was documented as early as March 2015. But getting out of the shadows did not stop it from spreading. Today I found active Visbot skimming on 6691 online stores.
How’s that possible? Contrary to other skimming malware, Visbot nestles itself in code running on the server. This makes it harder to detect from the outside, as the malware operates completely invisible for anyone but the store owner. And many store owners are not equipped to detect these security breaches.
How Visbot works
For devs, here’s a beautified copy
Visbot injects itself into existing site code. It stays dormant until it detects that data was entered by store visitors (an order or a password). Submitted data is then encrypted and saved to a fake image file. This “image” is then later retrieved by the perpetrator and - presumably - sold on the black market.
- Stores usually have a gazillion images, so fetching an odd one is hardly suspicious.
- Encryption ensures competing thieves cannot use the valuable payload.
I hear you ask, “how can you be sure that Visbot exists on all these stores? If it is so well hidden?” Here comes the crux: the Visbot author added a feature so s/he could detect whether the money machine is still running. If you send a specific code (a “password”) to an infected store, it will say:
If you know how to use a terminal, try it right now:
curl -LH 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;firstname.lastname@example.org)' \ http://your-site.com
For everyone else, I’ve added an online check to MageReport.com
In the last week, I found Visbot activity from servers in Sweden (126.96.36.199), Ukraine (188.8.131.52) and Germany (184.108.40.206).
Private data is stored in somewhat random image files. So far I have seen these filenames used:
bkg_btn-close2_bg.gif btn_back_bg_bg.gif btn_cancel_bg_bg.gif left_button_back.gif mage.jpg nav1_off_bg.gif notice-msg_bg.png section_menu_link_bg_bg.gif sort-arrow-down_bg.png
The public key used to encrypt the stole data is included in the malware, but the private key is not. Until it surfaces, it is not possible to decrypt the contents.
I have sent the list of malware-ridden stores to the authorities and major providers, so they can contact owners and agencies to fix skimming stores.
Are you a consumer?
- Never enter your payment details on a site other than your bank or Paypal.
- Assume that anything you do on the Internet, will be hacked and revealed one day.
Are you a merchant?
- Test your store periodically at MageReport.com
- Outsource technical maintenance to a specialized agency
- Agree on a fixed-hour support contract, so that your agency does not have to wait for your approval to perform critical maintenance.
- Software requires maintenance and maintenance is costly. A standard store requires typically 10-30 developer hours ($1k-$3k) per year, just for upkeep.
Are you an agency or sysadmin?
- Implement filters to protect your sites against common attacks (Shoplift, Bruteforce) or pick a provider that does this
- Implement periodic malware scanning. You could use my malware collection to scan for Visbot and much other crap. If you find new signatures, please submit a PR.
- Use version control (git) to detect unauthorized changes of your code
- Make periodic database dumps and check for changes to html header/footer includes.
People reporting Visbot cases: