The malicious code redirects the users to other sites were advertisers are paid for the traffic generated and or where threat actors can phish user information.
The malicious code redirects the users to other sites were advertisers are paid for the traffic generated and or where threat actors can phish user information.

Cyber Monday, and those shopping later, need to beware of a malicious redirect spotted in Magento One Page Checkout that is after not only your wallet, but also your page views.

Sucuri researcher Bruno Zanelato spotted a redirect injected into the Magento One coding, which is used by many ecommerce sites, that is triggered after a consumer selects their products and clicks “Proceed to checkout,” according to a Nov. 23 Sucuri blog post.

“Almost 100% of the cases the customers have not notice that this was happening and that data was being stolen during the checkout process,” Zanelato told SCMedia via email comments. “Usually the website owner just notice it after the sales start to drop because the real checkout process it is not happening, just the fake one.”

The malicious code redirects the users to other sites were advertisers have paid for the traffic generated and or where threat actors can phish user information.

Researchers examined the code and found a malicious file that, when coupled with /skin/frontend/base/default/js/opcheckout.js, it creates a JavaScript Layer responsible for submitting step data to the checkout controller and for interpreting controller responses to update the content of the checkout steps.

“This layer allows the checkout process to be completed without the browser needing to load every request in a new page,” the post said.

Zanelato said basically all e-commerce websites using Magento have been targeted in the attacks and that all platforms without the security patches 5344, 6788, and 8788 are vulnerable to attack.

“Keeping your Magento update and behind a firewall is the best way to keep your website and customers safe,” he said adding that this is one of many injection techniques used against Magento ecommerce sites with most of the attacks designed to steal banking information using phishing pages.

When cyber criminals use these kind of attacks its almost impossible for users to know if the behavior of the site is normal or not, Julien Bellanger, co-founder and CEO of Prevoty, told SC Media via emailed comments.

"The simplest protection for consumers is to use well-known sites like Amazon, Macy's, Target, etc. Large retailers can and do apply more time, talent and resources to securing their web sites, Bellanger said. "For website owners, the site should be thoroughly tested for security vulnerabilities, the vulnerabilities need to be mitigated and then the site has to be "locked" with no changes allowed to the code or configuration in production environments."

He added that site owners should monitor their application activity in real time to detect threat actors ahead of possible breaches.

This story has been updated to include comments from Julien Bellanger, co-founder and CEO of Prevoty.