Security researchers at Sucuri uncovered a sophisticated attack on a Magento e-commerce site where attackers abused a swap file to maintain a persistent credit card skimmer.
This innovative tactic allowed the malware to survive multiple cleanup attempts, revealing the lengths to which cybercriminals will go to steal sensitive information.
Uncovering the skimmer
The investigation began when Sucuri analysts identified suspicious behavior on the website's checkout page. A script buried deep in the page source exhibited typical malware characteristics such as base64-encoded variables and hex-encoded strings. Once decoded, the script was found to be capturing credit card details entered by customers.
The malicious script activated when the checkout button was clicked, using a querySelectorAll function to gather data from the credit card form. It collected sensitive information, including names, addresses, and card numbers, which were then sent to a domain named amazon-analytic[.]com, registered by the attackers in February 2024.
Sucuri
Further investigation led to the Magento app/bootstrap.php file, which had been completely replaced with a malicious version. Decoding this file revealed the same script found in the checkout page, along with a curl function for exfiltrating data. The attackers used an ob_filter_callback function to inject the skimmer script into pages containing the keyword “checkout.”
Persistence via the swap file
Despite replacing the infected bootstrap.php file and clearing caches, the malware persisted. Interestingly, the file appeared clean when viewed directly via SSH, yet still showed signs of infection during scans. This paradoxical situation indicated the presence of what the researchers termed “Schrodinger's malware.”
The breakthrough came when analysts noticed a reference to a swapme file. Upon deeper investigation using the vi command, they discovered a hidden swap file containing the malicious script. This swap file, created during file edits via SSH, allowed the malware to evade detection and reinfect the site.
To mitigate risks that arise from swap file manipulation, website administrators should:
- Restrict sFTP, SSH, FTP, and CPanel access to trusted IPs.
- Use website firewalls to prevent unauthorized access to admin panels.
- Regularly update CMS, plugins, and modules to patch vulnerabilities.
Consumers can protect themselves from skimmers by preferring electronic payment methods instead of using their credit/debit cards, or use private cards with predefined expenditure limits.
Also, buy products only from reputable e-shops that monitor their website file integrity and are more likely to uproot any injected skimmers quickly.
Los Angeles Superior Court Shuts Down After Ransomware Attack
Leave a Reply