Magento stores targeted by self-healing malware that steals credit card details

Moral of the story: database analysis is your friend.

David bisson
David Bisson

Magento stores targeted by self-healing malware that steals credit card details

A newly discovered malware attack manages to restore itself in its ongoing campaign against Magento-powered online stores.

Discovered by Magento/PHP developer Jeroen Boersma, the malware lies in wait until a user places an order on an infected website. It then executes itself before Magento, which is written in PHP, has a chance to assemble the webpage.

To set the record straight, this malware isn’t the first program that has targeted Magento websites. There are lots of examples of JavaScript-based malware that compromise online purchases by injecting themselves into the header and footer HTML definitions in a database. Fortunately, researchers can easily remove these malicious samples by cleaning those records.

Sign up to our free newsletter.
Security news, advice, and tips.

But this malware is something different.

Willem de Groot, co-founder at Byte BV, told Bleeping Computer as much:

“Malware was stored in [databases] before, but only as text. You could scan a dump of your database and know whether it contains malicious stuff. But now, the actual malware is executed inside the DB. This is the first time I see malware written in SQL. Previously, malware was written in JS or PHP.”

Infection occurs when attackers brute force a shop’s /rss/catalog/notifystock/ URL. Once the malware has successfully installed itself, it executes a SQL query to check for its code in the header, footer, copyright, and Magento CMS blocks. If it doesn’t find anything, the malware reasserts itself by re-inserting its code.

At that point, the malware makes off with a customer’s credit card information.

Database trigger

De Groot is troubled by this development. He feels there’s only one solution. As he explains in a blog post:

“This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.”

To protect against this malware, site administrators should search their Magento shop for triggers that contain suspicious SQL code like admin, js, script, or the <> HTML tags. If they find anything suspicious, they can delete it using this code:

echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console

Admins could also use the MageReport and Willem de Groot’s Malware Scanner tools to help detect and block the malware.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Magento stores targeted by self-healing malware that steals credit card details”

  1. Michael Ponzani

    Duckduckgo also has a little security tip newsletter. Its interesting and very short

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.