Overview

Recently I came across a Magento 2.3.4 store with a stripe specific credit card scraper embedded into the checkout page. The Malware had been injected into the core_config_data table, and was being saved against the shipping/shipping_policy/shipping_policy_content key. The updated_at time of the entry was 2024-04-10 13:27:32 although its worth noting, whilst this may be the time of the initial infection. Since the original entry point has not been patched, an attacker could have simply changed the payload on that date.

Malware Source Code (Original + Decoded): https://gist.github.com/SamJUK/589e00a2fe730b85b4fdc6940e68d558

Analysis

After analysis it appears to be fairly cookie cutter card scraping malware. Where they provide a cloned version of the payment form and hide the original. This fake version of the form has simple JS based validation (card length, expiry date, CVC code validation etc). Once the customer enters valid card details, and tries to submit it, the malware initiates a fake knockout processStart while it handles extracting all the valuable entered data. This includes URL, User Agent, Email, Address, Card Details before shipping them to a remote base64 encoded URL.

Once its extracted the data, it renders the original stripe form again with a generic An error occurred please try again later error. Where a custom may retry to enter their data successfully and not report the issue to the store owner.

The malware seems to proxy the card details though other compromised stores, making it harder to track/block the malware source. The endpoint the malware in this sample is using, is the health_check.php endpoint of a Magento 2 Spanish Crisp website.

Also the Malware seems to break the Paypal & Amazon Pay integrations in an attempt to force customers to use the compromised Stripe integration.

Remedies

After removing the malware, we can implement some measures to help reduce the risk of future compromise / early alerting.

  • Obviously update the store and keep it up to date with the latest patches
  • Migrate to a HPP solution either via a redirect or IFrame. This makes it significantly harder for attackers to scrape the data.
  • Running a regular Malware scan such as Ecomscan by Sansec.io provides great and effective reporting if you do get infected again.
  • Implementing a strong and enforced Content Security Policy (CSP) with a configured reporting URI will help prevent the AJAX to external servers from JS based malware.

TLDR;

  • Stripe CC Scraper Detected in DB
  • In core_config_data table
  • Saved under shipping/shipping_policy/shipping_policy_content path
  • Last Updated At 2024-04-10 13:27:32
  • Breaks Amazon & Paypal Buttons
  • Proxies extracted details through other compromised stores