Magento eCommerce stores are high value targets for online criminals. Thousands of dollars a month pass through even small stores, and although the vast majority of those stores use external payment processors, malware embedded in the store’s pages could still be used to steal data as the user enters it. Using an external payment processor means you have no database of credit card numbers to steal, but that doesn’t necessarily prevent the exfiltration of sensitive data entered into on-page forms.
Typically, the process of steal sensitive data relies on the exploitation of an existing vulnerability. Hackers use that vulnerability to inject malware into web pages. The malware harvests, or swipes, the data as users enter it, either sending it directly to the criminals’ servers or storing it somewhere on the Magento store’s server for later collection.
Hackers often want to minimize the number of times they connect to a store to retrieve data because those connections can be a tell-tale sign of a security problem. If store owners scrutinize logs and find that their pages regularly make unauthorized connections to a third-party server, they’ll become suspicious and start looking for malware. To reduce the chance of being caught, criminals often store the stolen data on the store’s server and transmit it in batches or use their ability to access the store’s files to collect it.
Obviously, criminals can’t just stash the data in a file called “stolencreditcardnumbers.txt”, so they go to great lengths to obfuscate the data. One of the favorite methods is to hide the data in an image file. It’s relatively easy to insert arbitrary data within most common image formats. If the images are loaded in an image viewer, they’ll appear to be perfectly valid.
In an interesting spin, Sucuri recently discovered a hacked Magento site where the image being used to store the stolen data was displayed on the site’s pages. It was an image of a product the site sold, and there’s no way a cursory examination would have revealed that it was full of stolen credit card numbers.
This technique is a double win for criminals. There’s almost no chance the store owners will discover the deception, and it’s easy for the data to be collected. Rather than using their access to the server, which increases the chances of discovery, the attackers can simply visit the page where the image is displayed.
The best way to avoid exposing shoppers to the risk of having sensitive information stolen is to prevent criminals from gaining access in the first place. If they can’t exploit a vulnerability on a store, they can’t inject their swiper code.
Updating is key here. Updates don’t negate the chance of being hacked, but they substantially reduce it. Make sure that your Magento store and any extensions you use are regularly updated.