Researchers from Sucuri, a company that specializes in securing websites, said the attackers can collect any data submitted by a user to Magento but carefully filters out anything that doesn`t look like credit card data.
The attackers are injecting their malicious code into Magento, but it`s still unclear how that process happens, wrote Peter Gramantik, a senior malware researcher with Sucuri.
`It seems though that the attacker is exploiting a vulnerability in Magento core or some widely used module/extension,` he wrote.
All POST requests are collected, but there are rules within the attack script that only collects payment card information.
`If the structure of the POST parameters match, the attacker stores them all -- nothing more, but nothing less,` Gramantik wrote. `They`ve got all the billing details processed by the infected site.`
The stolen data is then encrypted using a public encryption key that is included in the malicious script. It is then saved in a fake image file.
If someone were to try to load the image, it wouldn`t be displayed, he wrote. But the attacker can download and decrypt the fake image file, revealing the payment card details.
`Now they have all the billing information processed by the Magento e-commerce website,` he wrote. `It`s all nicely packed, formatted and collected.`
Ebay could not be immediately reached for comment.
Sucuri also found an example of a less-sophisticated but no less effective way to steal data from Magento.
In that example, attack code is injected to Magento`s Checkout Module. It collects payment card data before a transaction is processed. The data is then emailed in plain text to the attacker`s account.
Those behind the method seem to be intimately familiar with how Magento works, Gramantik wrote. `The attacker knows how the module works and the code it`s built on; all he needed to do was use the module`s own variable in which all the sensitive data is stored unprotected.`
Sucuri has seen variations of this attack before. In April, Sucuri`s Denis Sinegubko outlined where hackers see opportunity within Magneto. Most websites using the platform have a checkout form where customers enter their credit card details.
Magento then encrypts that data and either saves it or sends it to a payment gateway to complete the transaction, but there is `a very short period of time when Magento handles sensitive customer information in an unencrypted format,` Sinegubko wrote in a blog post.
Sinegubko wrote that`s a fine method unless hackers find a way to grab the information before it`s encrypted.
Read original article
No comments:
Post a Comment