Credit Card Skimmer Malware Uncovered: Targeting Magento Checkout Pages
Magento, a leading eCommerce platform, has once again become the target of sophisticated cybercriminal tactics. Security Analyst Puja Srivastava, from Sucuri, recently reported on a malicious JavaScript injection that compromises Magento-powered websites. This new malware operates stealthily, targeting checkout pages to exfiltrate sensitive payment information.
The malware dynamically injects a fake credit card form or directly hijacks existing payment fields on checkout pages, making detection exceptionally challenging. “This sophisticated skimmer targets Magento checkout pages to steal sensitive payment data, either by injecting fake forms or extracting live input fields,” Srivastava notes. This dynamic activation ensures the malicious script remains dormant on non-critical pages, avoiding unnecessary detection.
Discovered by Weston Henry during a routine inspection using Sucuri’s SiteCheck, the malware employs advanced obfuscation techniques. The investigation uncovered the malicious code in two primary locations:
- A frontend XML file: ./app/design/frontend/Magento/[Redacted]/Magento_Theme/layout/default.xml
- The database table: core_config_data
The infected script is programmed to activate on URLs containing the word “checkout” while excluding “cart,” exemplifying the attackers’ precision.
Once activated, the script siphons sensitive details such as credit card numbers, customer names, addresses, and billing data using Magento’s APIs. The stolen information undergoes multiple layers of encryption:
- Encoded as JSON
- XOR-encrypted with the key script
- Base64-encoded for secure transmission
The encrypted payload is sent to a remote server at staticfonts.com using a beaconing technique. This stealthy method, often used by legitimate tools, makes the malware harder to detect.
The attackers utilized domains such as dynamicopenfonts.app and staticfonts.com, two of which are already flagged on VirusTotal. As of the latest analysis, eight websites have been infected, showcasing the campaign’s active and ongoing nature.
Srivastava recommends, “Regular security audits, monitoring unusual activity, and deploying a robust WAF are crucial to protect your eCommerce platform.” Businesses are also advised to stay vigilant by monitoring for unauthorized changes and regularly updating their platforms to mitigate vulnerabilities.
