Malicious code injections are one of the most common threats faced by e-commerce websites, especially those running on platforms like Magento. Such attacks aim to steal sensitive customer data, redirect users to malicious sites, or compromise the store’s functionality. In this article, we will analyze a sample malicious JavaScript code found recently by a MoeSec Security Analyst, decode it, and explain its purpose. Furthermore, we will outline the steps to remove the infection, and provide recommendations for safeguarding your website using the MoeSec.com Website Security Platform.
The Malicious JavaScript Code
Here is the malicious JavaScript code snippet discovered in the Magento database:
At first glance, this code looks obfuscated, making it difficult to understand its behavior. However, after careful decoding, it reveals its malicious intent:
This decoded code is injecting a fake payment form that steals credit card details entered by customers and sends them to a remote attacker-controlled server. In this case it’s:
magentoplugins[.]cc
eshop.REMOVED-Compromised-STORE[.]cz Which is another compromosed shop.
Analyzing the Malicious Intent
The malicious script primarily aims to:
- Exfiltrate Customer Data: It intercepts sensitive information like credit card numbers, CVVs, and personal details.
- Compromise Website Integrity: By injecting itself into the database, it ensures the script is executed whenever affected pages are loaded.
- Persist in the System: Obfuscation techniques make it harder to detect and remove the code.
Steps to Remove the Malware Infection
If you suspect your Magento store is infected with similar malicious scripts, follow these steps to clean it:
1. Take the Website Offline
- Immediately take your website offline (Maintenance mode) to prevent further exploitation or data theft.
2. Backup the Website
- Create a full backup of your website files and database before making any changes.
3. Identify and Remove Malicious Code
- Search the Database: Look for injected scripts in your database tables such as cms_block , cms_page, core_config_data, etc.
- Inspect Files: Check for malicious or modified files.
4. Restore Clean Files
- Replace infected files with clean versions from a secure backup or better using fresh and clean copies downloaded directly from CMS official website or repository.
5. Update Magento and Extensions
- Ensure Magento and all third-party extensions are updated to their latest versions and that you are recognize all used extensions and admin users.
6. Scan for Backdoors
- Use tools like MoeSec Malware Scanner & Website Antivirus for a deep scan to detect hidden backdoors, malicious scripts or even malicious admin users to avoid any re-infection.
Recommendations to Prevent Future Attacks
1. Use the MoeSec.com Website Security Platform
- Real-Time Malware Detection: MoeSec scans your website continuously and alerts you to suspicious activity.
- Web Application Firewall (WAF): Blocks malicious requests and protects against SQL injection, XSS, and other attacks.
- Automatic Malware Removal: MoeSec can automatically remove malware from your site, ensuring minimal downtime and quick recovery.
2. Harden Your Magento Store
- Use Strong Admin Credentials: Avoid default usernames like
adminand use strong, unique passwords. - Enable Two-Factor Authentication (2FA): Add an extra layer of security to your admin panel.
- Restrict File Permissions: Limit write permissions to essential files and directories.
3. Keep Software Up-to-Date
- Regularly update Magento, extensions, and server software to patch known vulnerabilities.
4. Monitor Logs
- Regularly review access logs and error logs for suspicious activity.
5. Perform Regular Security Audits
- Schedule periodic security audits using MoeSec’s Website Antivirus to identify and fix vulnerabilities and to keep an eye for any file changes or modifications.
Conclusion
Malicious JavaScript injections pose a significant threat to Magento based online stores, endangering both customer data and business integrity. By decoding and analyzing the injected code, we can understand its intent and take the necessary steps to remove it. Leveraging the MoeSec.com Website Security Platform provides comprehensive protection against such threats, ensuring your website remains secure and malware-free. Stay proactive, adopt security best practices, and protect your business from future attacks.
