New Magento Malware Uses Swap Files to Steal Credit Card Data
Researchers from Sucuri have discovered a novel method of data theft on the Magento e-commerce platform. Malicious actors are leveraging swap files to embed persistent spyware that steals credit card information. This method significantly enhances the resilience of the malicious code within the infected system, allowing it to withstand multiple removal attempts.
In the examined malicious campaign, a script containing encoded variables and strings was discovered on the checkout page. Decoding revealed that the script tracked credit card data. Upon clicking the checkout button, the script collected the entered information using the querySelectorAll function.
The attackers used the domain “amazon-analytic[.]com” to transmit the stolen data. This domain was registered in February 2024 and had already been used in other credit card theft campaigns. Utilizing popular brand names in domain names helps attackers avoid suspicion and detection.
Further investigation revealed that the “bootstrap.php” file on the Magento site had been completely replaced by the criminals. Decoding its contents showed the same malicious script found on the checkout page. The malicious code used the curl function to send data to an external server.
Removing the malware proved to be a challenging task. Despite replacing the infected file with a clean version and clearing caches, the malicious script continued to load on the checkout page. Even when viewed directly via SSH, the file appeared clean, yet malware cleaning tools still indicated an infection.
The culprit was a hidden version of the “bootstrap.php” file, created during SSH editing. This temporary swap file contained the same malicious code as the original file. Removing the hidden swap file and clearing caches once again successfully cleansed the checkout page.
This case underscores the importance of comprehensive security measures beyond superficial scans and cleanups. Limiting administrative access to trusted IP addresses, regularly updating content management systems and plugins, and using firewalls can help reduce the risk of infection.
For users or administrators facing similar issues, it is advisable to seek assistance from security specialists or follow the cleanup guide for infected sites authored by Sucuri experts.
