Security researchers at Sucuri are still investigating the attack vector, but they believe that cyber criminals are injecting malicious code into the Magento core file or some widely used module/extension in order to steal payment card data.
Back in April, a critical Remote Code Execution Flaw in Magento allowed hackers to fully compromise any online store powered by Magento and thereby gain access to credit card data and other financial, and personal information related to the customers.
Credit Card Stealers?
Now, Sucuri senior malware researcher Peter Gramantik have found an attack script that pilfers the content of every POST request and identifies valuable payment card data before storing it in an encrypted form that only the attacker can decrypt.
Moreover, to evade detection, the attack tool includes a nice little purge function that wipes trails clean and masks user agents.
"The sad part is that you will not know it's affecting you until it's too late, Gramantik wrote in a blog post, "in the worst cases it will not become apparent until they appear on your bank statements."
Gramantik says he detected several slightly different variants, but the inclusion of PUBLIC_KEY variable indicates the malware author is likely behind a family of credit card stealers.
Attackers store the billing information in the fake image file which is defined at the beginning of the script. Furthermore, the attackers modify the creation timestamp of the image file and add a fake JPEG header.
What's clever about this method?
Coincidentally, if anyone tries to load this "image" file via the web browser, "all the visitor would see is the broken image" and nothing more.
However, the cybercrook can download the complete "image" file and decrypt the stolen data using Public Key in an attempt to siphon all the billing information processed by the Magento e-commerce website.
With Alexa top one million e-commerce websites using it, Magento has become a valuable target for attackers. Two months ago, cyber criminals were malvertising legitimate Magento e-commerce website to send credit card details submitted by its customer amid checkout procedure to a third-party malicious site controlled by attackers.