Hackers Inject Persistent Credit Card Skimmer to Abuse Swap File in Shopping Sites

By utilizing the swap file of a Magento e-commerce website, attackers were able to use a persistent credit card skimmer script to steal credit card information. 

It was obfuscated with base64 encoded variables and hex encoded strings, resided within the checkout page source code and monitored for credit card information, while the malware’s persistence allowed it to survive multiple clean-up attempts. 

page source

An injected script manipulates a compromised checkout page’s button to steal credit card information, and upon clicking the button, the script utilizes querySelectorAll to capture form data like name, address, and card number. 

A malicious domain, likely registered to evade detection due to its brand name resemblance, is used to exfiltrate the stolen credit card details, highlighting the increasing use of Magecart-style attacks that target checkout processes to steal sensitive customer information.  

data entered into the credit card form

Investigators traced the malicious checkout page script back to a modified Magento app/bootstrap.php file. Decoding the replaced file revealed the same malicious script and a curl function used to steal data. 

Using the ob_filter_callback function, the attackers were able to inject the skimmer script into checkout pages, which are URLs that contain the word “checkout” and are accessed through GET requests.

The team attempted to remove malware by replacing a compromised bootstrap.php file. Even though the file appeared clean when directly viewed on the server via SSH, malware detection tools still flagged it as infected. 

Further investigation by Sucuri Blog revealed the malware was hooking into file session data and persisting in memory. Rebooting Apache, PHP services, and the server itself couldn’t clear the infection.  

 file on the server

A malware-infected script found a reference to a hidden “swapme” file. While no file by that name existed, it was discovered that a swap file—a temporary backup created during editing—named “bootstrap.php-swapme” contained the malicious code

This hidden swap file allowed the malware to persist even after the original script was cleaned, evading standard detection methods, while removing the swap file and clearing caches ultimately eliminated the infection. 

An attacker’s manipulation of the swap file emphasizes the need for robust security beyond basic scans, and by exploiting SSH or a terminal session, the attacker gained access and edited a file, creating a swap file that wouldn’t be identified by surface-level scans. 

The significance of layered defenses that look beyond data that is readily visible to uncover modifications that are hidden is highlighted by this incident.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here