Why you should install Magento security patches [Fraud investigation]
TODAY WE FACED A SERIOUS FRAUD SITUATION, WHICH WAS A TYPICAL ONE AT FIRST SIGHT, BUT ALSO IT LOOKED LIKE AN ATTEMPT TO HURT AMASTY REPUTATION. BUT, OF COURSE AND FIRST OF ALL, IT’S A LIVE EXAMPLE OF HOW E-COMMERCE FRAUD WORKS WHEN USERS ARE RELUCTANT TO FOLLOW SECURITY RULES.
We are publishing this story to show our clients and all Magento merchants how important it is to timely install security patches.
This morning we’ve got a message from a hosting company.
It was the hosting company employee, not the Magento site owner, who sent us the script. It collects payment data from the Magento checkout pages and sends them to https://amasty.biz/lib/paypal_icon.png.
As we are not associated with amasty.biz in any way, of course we confirmed that the script was a malware and suggested deleting it from the website.
Amasty.biz is redirecting to amasty.com. It may look like we are somehow connected to amasty.biz, but here we wanted to officially announce once again: Amasty is not related to amasty.biz fraud in any way.
WHOIS lookup of amasty.biz is not helpful:
$ whois amasty.biz
Domain Name: AMASTY.BIZ
Domain ID: D70130289-BIZ
Sponsoring Registrar: EVOPLUS LTD.
Sponsoring Registrar IANA ID: 1418
Registrar URL (registration services): www.evonames.com
Domain Status: ok
Registrant ID: MR_8788991WP
Registrant Name: WhoisProtectService.net
Registrant Address1: 27 Old Gloucester Street
Registrant City: London
Registrant Postal Code: WC1N 3AX
Registrant Country: UNITED KINGDOM
Registrant Country Code: GB
Registrant Phone Number: +44.02074195061
Registrant Email: firstname.lastname@example.org
Administrative Contact ID: MR_8788991WP
Administrative Contact Name: WhoisProtectService.net
Administrative Contact Address1: 27 Old Gloucester Street
Administrative Contact City: London
Administrative Contact Postal Code: WC1N 3AX
Administrative Contact Country: UNITED KINGDOM
Administrative Contact Country Code: GB
Administrative Contact Phone Number: +44.02074195061
Administrative Contact Email: email@example.com
Billing Contact ID: MR_8788991WP
Billing Contact Name: WhoisProtectService.net
Billing Contact Address1: 27 Old Gloucester Street
Billing Contact City: London
Billing Contact Postal Code: WC1N 3AX
Billing Contact Country: UNITED KINGDOM
Billing Contact Country Code: GB
Billing Contact Phone Number: +44.02074195061
Billing Contact Email: firstname.lastname@example.org
Technical Contact ID: MR_8788991WP
Technical Contact Name: WhoisProtectService.net
Technical Contact Address1: 27 Old Gloucester Street
Technical Contact City: London
Technical Contact Postal Code: WC1N 3AX
Technical Contact Country: UNITED KINGDOM
Technical Contact Country Code: GB
Technical Contact Phone Number: +44.02074195061
Technical Contact Email: email@example.com
Name Server: NS1.TOPDNS.ME
Name Server: NS2.TOPDNS.ME
Name Server: NS3.TOPDNS.ME
Created by Registrar: EVOPLUS LTD.
Last Updated by Registrar: EVOPLUS LTD.
Domain Registration Date: Fri Jun 03 11:00:12 GMT 2016
Domain Expiration Date: Fri Jun 02 23:59:59 GMT 2017
Domain Last Updated Date: Sat Jun 04 04:13:19 GMT 2016
That’s because the owner’s chosen WHOIS protection when registering the domain. Right now we are trying to reach the registrar to freeze the domain, but also we wanted to neutralize the site which is collecting payment data.
We checked the IP and the hosting company the fraud site is using:
$ nslookup amasty.biz 18.104.22.168
Now we know that amasty.biz IP is 22.214.171.124
$ whois 126.96.36.199
NetRange: 188.8.131.52 – 184.108.40.206
Parent: NET209 (NET-209-0-0-0-0)
NetType: Direct Allocation
Organization: server4you Inc. (SERVE-6)
OrgName: server4you Inc.
Address: 210 North Tucker Blvd.
Address: Suite 910
City: Saint Louis
OrgAbuseName: server4you Abuse Department
As we see here, the IP is owned by server4you Inc. We made attempts to reach the hosting company support via firstname.lastname@example.org and asked to switch the site down because of fraud, but right now we cannot boast of any response, still we did everything we could here.
To investigate further, we checked the main page code of the affected site and saw the following part:
The script is obfuscated, but we do have the deobfuscated version (to get a the deobfuscated variant, you need to replace «this[‘eval’](w);» with «console.log(w);»:
To find out why this happened, we checked the affected site with magereport.com.
The report shows multiple vulnerabilities of the affected site because its owners haven’t installed a single Magento security patch whatsoever. Pay attention to the Credit Card Hijack point detected.
The script from our case is very similar to the script example from the vulnerability description, the difference is the URL which the data is sent to, and the list of the pages with payment data has been extended.
Red lines are the lines that do not tally with the magereport.com example, green lines are the lines that are different from the script we found.
And, of course, the main victims of the fraud are customers that enter their payment info on the vulnerable sites.
Surely, Magento merchants can’t be 100% safe from such a situation, but the probability of fraud incidents can be significantly lowered with using safe passwords and installing Magento security patches right after they appear.
UPD The registrar confirmed that amasty.biz was blocked.