Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Hijack Magento Extension to Steal Card Data

Cybercriminals have been abusing a payment module to steal credit card data from online shops powered by the Magento ecommerce platform, web security firm Sucuri reported on Friday.

Cybercriminals have been abusing a payment module to steal credit card data from online shops powered by the Magento ecommerce platform, web security firm Sucuri reported on Friday.

The targeted module is the Realex Payments Magento extension (SF9), which integrates with the Realex Realauth Remote payment gateway. The Realex Payments extension allows Magento store owners to process mail and telephone orders by entering the payment details themselves.

The extension itself is not vulnerable, but attackers can abuse it after they compromise the targeted Magento shop. In the attacks observed by Sucuri, hackers added a malicious function called sendCcNumber() to an SF9 file named Remote.php.

The function collects personal and financial data entered by users on the compromised website and sends it back to an email address controlled by the attacker.

The malicious function also leverages the online service binlist.net, which allows users to identify the issuer of a card based on the first six digits of the card number.

Sucuri said it had tracked “massive attacks” where hackers had injected malicious scripts into Magento websites in an effort to steal card data.

Advertisement. Scroll to continue reading.

“Magento credit card stealers are indeed on the rise. While the information here is specific to Magento, realize that this can affect any platform that is used for ecommerce,” said Bruno Zanelato, malware analyst and team lead at Sucuri. “As the industry grows, so will the specific attacks targeting it. That’s why it is so important to keep your Magento website up to date and apply all the latest security patches!”

These types of attacks are not uncommon, and cybercriminals have used various tricks to evade detection and ensure that their malware is persistent.

In a campaign documented a few months ago, attackers hid stolen card data in harmless-looking image files related to products sold on the compromised website. More recently, researchers identified a piece of malware that restored itself on Magento websites after it had been removed.

Related: Card Data Stolen From eCommerce Sites Using Web Malware

Related: Critical Magento Flaws Expose Sites to Takeover

Related: “KimcilWare” Ransomware Targets Magento Websites

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.