Malicious JavaScript Targets Magento eCommerce Websites
/ 3 min read
Quick take - A new malware threat targeting Magento eCommerce websites has been identified, involving malicious JavaScript injections that extract sensitive customer information during the checkout process, prompting cybersecurity experts to recommend enhanced security measures to mitigate risks.
Fast Facts
- Magento websites are increasingly targeted by cybercriminals due to their handling of sensitive customer data, with a new threat involving malicious JavaScript injections.
- The malware creates fake credit card forms on checkout pages to capture critical customer information, identified by security researcher Weston Henry during an investigation.
- It employs advanced obfuscation techniques and has been linked to two malicious domains, dynamicopenfonts.app and staticfonts.com, which are flagged on VirusTotal’s blocklist.
- Eight websites have been confirmed infected, with the malware extracting sensitive data like credit card information, names, and addresses, and transmitting it to a remote server using encrypted methods.
- Cybersecurity experts recommend regular security audits, robust Web Application Firewalls, and proactive measures to mitigate risks and protect customer data on eCommerce platforms.
Magento Websites Targeted by New Malware Threat
Magento websites have become a focal point for cybercriminals, primarily due to their extensive use in eCommerce and the sensitive customer data they manage. A new threat has emerged involving a malicious JavaScript injection targeting these sites.
Details of the Malware
This malware is specifically designed to compromise Magento platforms by creating fake credit card forms or extracting payment fields. It activates exclusively on checkout pages to capture critical customer information. Security researcher Weston Henry first identified the malware during a routine investigation, revealing a sophisticated infection that combines both filesystem and database malware. The malware employs advanced obfuscation techniques, demonstrating a notable ability to evade detection.
Two domains, dynamicopenfonts.app and staticfonts.com, have been linked to this malicious activity. These domains have been flagged on VirusTotal’s blocklist, indicating their association with malicious operations. As of the latest reports, eight websites have been confirmed to be infected with this malware.
Detection of the malicious script occurred during a routine inspection with Sucuri’s SiteCheck tool. The tool identified a resource originating from the blacklisted domain dynamicopenfonts.app. The script was found in two specific locations: within an XML file and a database table known as core_config_data. The malicious code is cleverly embedded within the XML file’s directive, programmed to load a JavaScript resource just before the closing tag.
Activation and Data Theft
The malware activates on URLs containing the term “checkout” while excluding those with “cart.” Once activated, it extracts sensitive credit card information and additional user data, including names, addresses, emails, phone numbers, and billing details. The stolen data is processed through Magento’s APIs, encoded as JSON, and then encrypted using XOR encryption with the key ‘script’ and Base64 encoded for transmission. The encoded information is sent to a remote server at staticfonts.com using a beaconing technique, enabling the data to be transmitted silently from the user’s device without their awareness.
The dynamic nature of the malware, coupled with its encryption methods, complicates detection efforts, making it a significant concern for eCommerce platforms.
Recommendations for Mitigation
To mitigate the risks associated with such threats, cybersecurity experts recommend regular security audits and vigilant monitoring for unusual activity. The deployment of robust Web Application Firewalls (WAFs) is also advised. Additional remediation steps include ensuring that all software is kept up-to-date to guard against vulnerabilities in outdated plugins and themes.
Managing admin accounts through validity reviews and strong password practices is crucial. Implementing file integrity monitoring can detect unauthorized changes, while utilizing website firewalls effectively blocks malicious traffic.
Puja Srivastava, a Security Analyst with over seven years of experience, emphasizes proactive measures, highlighting the importance of malware detection and remediation to protect sensitive customer data on eCommerce platforms.
Original Source: Read the Full Article Here
