One of our clients was reporting that one of their website visitors was receiving a warning from their antivirus program when navigating to their checkout page:
Calls were being made to a known malicious domain that was already blacklisted by multiple vendors for distributing malware and involvement in carding attacks:
This certainly indicated that a card stealer was present somewhere on our client’s website.
Our first step in locating such an infection is to query the database for the following string:
Here’s an example of why we look for such strings in the database:
While there were plenty of <script tags in our client’s database none of them seemed malicious.
Let’s take apart this code and see what lies behind the obfuscation shall we? First of all, let’s clean up this code so that it’s not all in one big chunk so we can better understand what we are looking at:
The malware can be broken down into three main parts:
In most injections that we see like this we can simply remove the ‘,’ concatenation and run it through a base64 decoder but this injection was more complicated and actually required us to manually log the individual functions.
Once we break down each individual function we can utilise the console.log feature of the browser development console in a sandbox environment like so to de-obfuscate the injection:
Security researchers have uncovered roughly 60 carding domains related to these attackers, including some of the following:
blockanalist[.]space analiticsblock[.]space analiticsblock[.]site analistnetwork[.]space analistnetwork[.]site siteanalitics[.]space siteanalitic[.]space site-analitics[.]site site-analitic[.]space site-analitic[.]site
They are likely registering more as you read this article.
If you are an ecommerce website owner I would highly recommend following the steps I laid out in a recent post with respect to securing your website environment, specially the administration panel which is where a lot of these attacks originate. We can also help protect your ecommerce website from attacks and hacks.