Examining Unique Magento Backdoors

During a recent investigation into a compromised Magento ecommerce environment, we discovered the presence of five different backdoors that would provide attackers with code execution capabilities. The techniques used by the attackers in these backdoo… Continue reading Examining Unique Magento Backdoors

WooCommerce Credit Card Skimmer Hides in Plain Sight

Recently, a client’s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client’s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a prod… Continue reading WooCommerce Credit Card Skimmer Hides in Plain Sight

WooCommerce Credit Card Swiper Hides in Plain Sight

Recently, a client’s customers were receiving a warning from their anti-virus software when they navigated to the checkout page of the client’s ecommerce website. Antivirus software such as Kaspersky and ESET would issue a warning but only once a prod… Continue reading WooCommerce Credit Card Swiper Hides in Plain Sight

Magento PHP Injection Loads JavaScript Skimmer

A Magento website owner was concerned about malware and reached out to our team for assistance. Upon investigation, we found the website contained a PHP injection in one of the Magento files: ./app/code/core/Mage/Payment/Model/Method/Cc.php

if ($_… Continue reading Magento PHP Injection Loads JavaScript Skimmer

Real-Time Phishing Kit Targets Brazilian Central Bank

We recently found an interesting phishing kit on a compromised website that has QR code capabilities, along with the ability to control the phishing page in real time. What our investigation revealed was that attackers were leveraging PIX, a new payme… Continue reading Real-Time Phishing Kit Targets Brazilian Central Bank

Fake WordPress Functions Conceal assert() Backdoor

A few weeks ago, I was manually inspecting some files on a compromised website. While checking on a specific WooCommerce file, I noticed something interesting.
Among 246 other lines, this very specific part stood out to me:
$config = wp_dbase_config_i… Continue reading Fake WordPress Functions Conceal assert() Backdoor

PrestaShop SuperAdmin Injector and Login Stealer

According to W3Tech’s data, PrestaShop is among the most popular CMS choices for existing ecommerce websites, so it should come as no surprise that malware has been created to specifically target these environments.
We recently came across an infected… Continue reading PrestaShop SuperAdmin Injector and Login Stealer

Another Credit Card Stealer That Pretends to Be Sucuri

During a routine investigation, we found yet another web skimmer that pretends to be related to Sucuri.
One of our Remediation Analysts, Liam Smith, found the following code injected into the database of a Magento site.
The first 109 lines of the malw… Continue reading Another Credit Card Stealer That Pretends to Be Sucuri

Magento Credit Card Stealing Malware: gstaticapi

Our team recently came across a malicious script used on a Magento website titled gstaticapi, which targeted checkout processes to capture and exfiltrate stolen information.
To obtain sensitive details, the malware loads external javascript whenever t… Continue reading Magento Credit Card Stealing Malware: gstaticapi

CDN-Filestore Credit Card Stealer for Magento

During a website remediation, we recently discovered a new version of a Magento credit card stealer which sends all compromised data to the malicious domain cdn-filestore[dot]com. My colleague Luke Leal originally wrote about this malware in a blog po… Continue reading CDN-Filestore Credit Card Stealer for Magento