Magento store owners should take great care when updating

Feb 16, 2016 12:20 GMT  ·  By

UPDATE: eBay and Sucuri have uncovered new details and how this exploit works. It is not as a distributed fake security patch as initially thought, but appears on compromised stores that show they have the SUPEE-5344 security patch installed, when they don't, with the malicious code hiding as the patch. The title has been changed to reflect this. The article has not, since it was written around the concept of a distributed fake patch.

Magento store owners that are applying security update SUPEE-5344 should be very careful to avoid installing a fake patch file that has been compromised to install a keylogger on their site that steals the customers' payment information.

The Magento team released security patch SUPEE-5344 in February 2015, but webmasters understood its importance only around April 2015, when researchers started digging into its details.

SUPEE-5344 fixed an RCE (remote code execution) flaw that was leveraging an authentication bypass and SQL injection to allow attackers to take complete control of affected stores.

Fake SUPEE-5344 patch installs a keylogger

According to Web security experts at Sucuri, there's a fake SUPEE-5344 patch going around laced with malicious code that makes sure to keep a backdoor on all patched systems.

This fake patch will update your Magento store to fix the previous issues, but it will also open new holes for attackers to exploit.

First of all, the fake patch will install a set of keyloggers, which will be inserted in the checkout pages and in the PHP files that handle the checkout data. These keyloggers will collect customer personal details and payment information, and using steganography, they will store all the stolen data inside JPEG images.

These images are saved to disk and sent at regular intervals to an email address hard-coded in the fake patch's source code.

Fake patch also installs a backdoor

But things didn't stop here. The people behind this fake patch also made sure they had persistent access to all infected shops, allowing them to change file permissions, execute arbitrary PHP shell code on the server, and delete all traces of the malicious code when they're done robbing the store.

"As we can see, the Magento malware ecosystem is maturing and attracting more hackers, and they’re bringing their arsenal of tried and true tricks and methods from WordPress and Joomla! malware with them," said Denis Sinegubko, Sucuri analyst.

"The growing market share of Magento ecommerce sites (#1 CMS in ecommerce and #4 CMS overall) and potential access to money flows, make attacks even with low success rates worthwhile," Mr. Sinegubko also noted.

Despite the patch's severity, Dutch hosting company Byte.nl discovered that, in September 2015, there were still over 170,000 Magento stores that haven't applied SUPEE-5344 (also known as the Shoplift bug).

To stay safe from this new threat Sucuri discovered, webmasters that do want to finally update their store are encouraged to download the patch from Magento's website only.

Malicious code in the fake SUPEE-5344 patch
Malicious code in the fake SUPEE-5344 patch

Photo Gallery (2 Images)

Magento store owners targeted by malicious fake security patch
Malicious code in the fake SUPEE-5344 patch
Open gallery