Cybercriminals have been abusing a payment module to steal credit card data from online shops powered by the Magento ecommerce platform, web security firm Sucuri reported on Friday.
The targeted module is the Realex Payments Magento extension (SF9), which integrates with the Realex Realauth Remote payment gateway. The Realex Payments extension allows Magento store owners to process mail and telephone orders by entering the payment details themselves.
The extension itself is not vulnerable, but attackers can abuse it after they compromise the targeted Magento shop. In the attacks observed by Sucuri, hackers added a malicious function called sendCcNumber() to an SF9 file named Remote.php.
The function collects personal and financial data entered by users on the compromised website and sends it back to an email address controlled by the attacker.
The malicious function also leverages the online service binlist.net, which allows users to identify the issuer of a card based on the first six digits of the card number.
Sucuri said it had tracked “massive attacks” where hackers had injected malicious scripts into Magento websites in an effort to steal card data.
“Magento credit card stealers are indeed on the rise. While the information here is specific to Magento, realize that this can affect any platform that is used for ecommerce,” said Bruno Zanelato, malware analyst and team lead at Sucuri. “As the industry grows, so will the specific attacks targeting it. That’s why it is so important to keep your Magento website up to date and apply all the latest security patches!”
These types of attacks are not uncommon, and cybercriminals have used various tricks to evade detection and ensure that their malware is persistent.
In a campaign documented a few months ago, attackers hid stolen card data in harmless-looking image files related to products sold on the compromised website. More recently, researchers identified a piece of malware that restored itself on Magento websites after it had been removed.
Related: Card Data Stolen From eCommerce Sites Using Web Malware
Related: Critical Magento Flaws Expose Sites to Takeover
Related: “KimcilWare” Ransomware Targets Magento Websites

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- Cisco to Acquire Splunk for $28 Billion
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
Latest News
- Researchers Discover Attempt to Infect Leading Egyptian Opposition Politician With Predator Spyware
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
