Attackers Exploit Swap File to Steal Credit Card Information

Home/Exploitation, Internet Security, Mobile Security, Security Advisory, Security Update/Attackers Exploit Swap File to Steal Credit Card Information

Attackers Exploit Swap File to Steal Credit Card Information

Researchers at Sucuri recently discovered that website swap files can be exploited to install a persistent credit card skimmer on Magento e-commerce platforms. Swap files, which store overflow data from RAM, can contain critical information like passwords and encryption keys, making them a key target for hackers.

Hackers Exploit Swap File

This method allowed the malware to persist through multiple removal attempts. Malicious scripts with binary and hexadecimal characters were found in the compromised source code on the checkout page.

Decoding these files revealed an intent to capture credit card information, showing how even benign system components can be exploited for criminal purposes.

A malicious script on the compromised checkout page used a custom button to capture credit card data, with sensitive details like card numbers, names, and addresses collected via querySelectorAll.

Associated with credit card theft since February 2024, this tactic also involved the domain amazon-analytic[.]com. Threat actors use popular brand names to avoid detection, as exemplified here.

In a Magento site, the compromised bootstrap.php file contained a base64-encoded credit card skimmer that persisted even after deletion and rebooting.

The issue stemmed from an unnoticed trade file named bootstrap.php-swapme, created through SSH editing. This method allowed the malware to evade detection and persist through all cleanup efforts.

Attackers used swap files to stay hidden on the server. Once the swap file was removed and caches cleared, the checkout page was clean, says the Sucuri report.

This underscores the need for robust security, as malware can exploit persistent swap files. SSH likely facilitated the attack, highlighting the importance of restricting admin access to trusted IPs.

Key measures include using a website firewall, updating CMS and plugins, and limiting admin panel access. For help, consider professional cleanup services or DIY guides.

This case demonstrates how threat actors exploit hidden system functions, stressing the need for multi-layered security in e-commerce.

Mitigation

To mitigate the risk of persistent e-commerce malware infections, follow these steps:

  1. Restrict Administrative Access:
    • Limit sFTP, SSH, FTP, and CPanel Access: Restrict these access points to trusted IP addresses only. Configure these restrictions directly on your hosting server to prevent unauthorized access.
  2. Enhance Web Security:
    • Deploy a Website Firewall: Use a website firewall to provide additional protection and prevent unwanted access to sensitive areas such as your WordPress and Magento admin panels.
  3. Keep Software Updated:
    • Regularly Update CMS and Plugins: Ensure that your content management system (CMS) and any plugins or modules are kept up-to-date. Outdated software often contains vulnerabilities that attackers can exploit using automated tools.

By implementing these practices, you can significantly reduce the risk of malware infections and enhance the security of your e-commerce site.

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2024-07-23T01:15:07+05:30 July 23rd, 2024|Exploitation, Internet Security, Mobile Security, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!