Morning Read: Credit Card Scrapers Continue to Target Magento

Welcome to the Morning Read, a daily post where I recommend and discuss a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.

Today’s Morning Read is a post from sucuri focused on credit card scrapers found in Magento. Here’s a link:

Overview

In this post, Bruno over at securi discusses a recent case where they found malicious code injected into the Magento payment module SF9 Realex. During analysis, the team discovered malicious code within the SF9 Realex PHP that captured credit card data, performed a lookup of the IIN, or BIN, and then emailed the stolen data to the attackers. The code for this was found in a function called sendCcNumber(). Sample code below:

Sample code from https://blog.sucuri.net/2017/03/sf9-realex-magento-module-targeted-by-credit-card-scrapers.html.

Highlights

  • “ The malicious function had been injected after the website was compromised through a different vulnerability, therefore the component itself (SF9 Realex) wasn’t the source of the problem.” ← the article doesn’t discuss the entry point, but it may have been a well-known and documented vulnerability. Patch, patch, patch!
  • Code is injected to email stolen payment card data to the attackers. This is a big difference from a majority of POS malware (save one or two families), in that data is not batched and retrieved; instead, it is sent on demand.
  • Attackers are using binlist[.]net to retrieve IIN (formerly BIN) information. I find it interesting that the attackers are looking this information up from the infected system — especially given it’s something they could look up offline. However, it does provide an extra indicator that could be used to look through network logs.

I wonder if this Tweet had anything to do with Magento lookups:

Suggestions for Analysts

Almost everyone involved in DFIR in the past few years has worked some kind of Magento case. These types of articles provide a solid list of indicators that can be used to find some low-hanging Magento fruit — especially in the event of suspected credit card fraud.

For those who are protecting environments running Magento, unfortunately you’ve got the task of having to remain extremely diligent. Magento is a hot topic for a lot of attackers right now, especially as they are finding new ways to inject code and steal data. A few thoughts for Magento admins:

  • Make sure to audit your logs. And ensure that logs are being shipped/kept somewhere!
  • While you may not process the card, you may hold the code that steals the card.
  • Perform source code management mechanisms— implement some type of version control, or take hashes of production environments. This will help find malicious code REAL QUICK if a breach takes place.
  • Look for traffic that seems irregular. Pulling from today’s article, you could look for things such as frequent activity to binlist[.]net or a high frequency of PHP mail being sent out of the environment. The latter may be normal for e-commerce sites, so make sure to baseline before going crazy.

Until tomorrow!