(pc-Google Images) |
The hostile function was found by Bruno Zanelato, a researcher with the firm Sucuri who said that the code for the function was injected into a .php file for another module, SF9 Realex, that helps sites store customer credit card data for the one-click checkout facility.
The function, sendCCNumber(), works in a very discreet manner by redirecting credit card information given by the customer from Magneto to an attacker’s email address, which is hidden inside a variable later in the code.
As per researchers, a public web service called binlist.net is used by the attacker for searching issuer identification numbers which help identify which bank each card is associated with.
Attackers are going to greater lengths to target credit card data, especially in e-commerce platforms much like Magneto, according to Mr. Zanelato, who also mentioned that with the growth of the industry the number of specific attacks targeting them would also increase.
Cesar Anjos, another researcher with the firm found a stealer that was leaded from another source, just last summer. The stealer in question was found to have executed a man-in-the-middle attack between the user and the checkout page after the credit card information was entered.
Another find by a researcher at the firm, Ben Martin, in October last year saw the attackers scraping credit card numbers and exfiltrating them in obscure, sometimes publicly viewable image files.
After monitoring the attacks similar to ones described by Sucuri, researchers with RiskIQ said that the attacks originated from a single hacking group targeting e-commerce platforms such as Powerfront CMS and OpenCart with a web-based keylogger in March 2016.