Whitespace Steganography Conceals Web Shell in PHP Malware

Whitespace Steganography Conceals Web Shell in PHP Malware

Last November, we wrote about how attackers are using JavaScript injections to load malicious code from legitimate CSS files. At first glance, these injections didn’t appear to contain anything except for some benign CSS rules. A more thorough analysis of the .CSS file revealed 56,964 seemingly empty lines containing combinations ... Read More
Another Credit Card Stealer That Pretends to Be Sucuri

Another Credit Card Stealer That Pretends to Be Sucuri

During a routine investigation, we found yet another web skimmer that pretends to be related to Sucuri. One of our Remediation Analysts, Liam Smith, found the following code injected into the database of a Magento site. The first 109 lines of the malware don’t contain any content, which could be ... Read More
CSS-JS Steganography in Fake Flash Player Update Malware

CSS-JS Steganography in Fake Flash Player Update Malware

This summer, MalwareBytes researcher Jérôme Segura wrote an article about how criminals use image files (.ico) to hide JavaScript credit card stealers on compromised e-commerce sites. In a tweet, Affable Kraut also reported another similar obfuscation technique using .ico files to conceal JavaScript skimmers. Just something I’ve noticed more recently ... Read More
SiteCheck Malware Report: September Summary

SiteCheck Malware Report: September Summary

Our free SiteCheck tool helps website owners remotely scan their website to detect malware infections, blacklisting status, website errors, and other anomalies. Scanning a website’s external HTML source code provides immediate results, without the need to install any software or applications to identify threats. In September alone, a total of ... Read More
Skimmers in Images & GitHub Repos

Skimmers in Images & GitHub Repos

MalwareBytes recently shared some information about web skimmers that store malicious code inside real .ico files. During a routine investigation, we detected a similar issue. Instead of targeting .ico files, however, attackers chose to inject content into real .png files — both on compromised sites and in booby trapped Magento ... Read More

Dangerous Website Backups

It’s a well-known fact that website backups are important for mitigating a plethora of site issues. They can help restore a site after a compromise or even facilitate the investigative process by providing a clean code base to compare the current site state to. However, if a backup is not ... Read More
Evasion Tactics in Hybrid Credit Card Skimmers

Evasion Tactics in Hybrid Credit Card Skimmers

The most common type of Magento credit card stealing malware is client-side JavaScript that grabs data entered in a checkout form and sends it to a third-party server controlled by the attackers. Though popular with bad actors, one of the drawbacks of this approach is that it’s possible to track ... Read More
PinnacleCart Server-Side Skimmers and Backdoors

PinnacleCart Server-Side Skimmers and Backdoors

While open-source ecommerce platforms are the most common targets for web skimmers, hackers also target paid-for software — especially if it’s used on high-profile online stores with large user-bases. This time, our analysts Kara Federow and Keith Petkus found malware on a website powered by PinnacleCart, a webstore solution used ... Read More
Web Skimmer with a Domain Name Generator

Web Skimmer with a Domain Name Generator

Our security analyst Moe Obaid recently found yet another variation of a web skimmer script injected into a Magento database. The malicious script loads the credit card stealing code from qr201346[.]pw and sends the stolen details to hxxps://gooogletagmanager[.]online/get.php. This approach is pretty typical for skimmers. However, we noticed one interesting ... Read More
WordPress Database Brute Force and Backdoors

WordPress Database Brute Force and Backdoors

We regularly talk about brute force attacks on WordPress sites and explain why WordPress credentials should always be unique, complex, and hard to guess. However, the WordPress login is not the only point of entry that hackers use to break into sites. Since the WordPress CMS stores most of its ... Read More