Visbot Malware Found on 6,691 Magento Online Stores

Nearly 6,700 online stores running on top of the Magento platform are infected with the Visbot malware that hides on web servers, steals credit card information, encrypts it, hides it inside an image, and sends the encrypted credit card data to a crook's servers afterward.

Visbot isn't a new threat, being discovered in late March 2015 by SnapFast, a hosting company specialized in Magento website hosting.

Despite this, the malware has kept a low profile because it is very hard to detect Visbot infections, and not many site owners have been able to detect anything wrong in the first place.

Visbot is different, hard to detect

Unlike similar Magento malware that collects credit card data, Visbot doesn't work on the site's frontend, via code exposed to researchers and end users.

Visbot only works with server-side code, never exposing itself. The only ones that could discover Visbot infections are webmasters, and they have to be looking for it in the first place.

The malware waits for users to submit credit card data, and intercepts it on the server-side. Visbot takes this data, and encrypts it with a public encryption key, hardcoded in the malware's source code.

Visbot uses steganography to steal data

This encrypted data is packed inside an image file, using a technique known as steganography, which hides text-based data inside image files.

Visbot leaves this image in one of the site's public folders, and the malware author retrieves it at regular intervals. If sites are running firewalls, all they see is a user downloading an image, a very common occurrence, especially on e-commerce stores.

These are the name of the files where Visbot usually hides stolen credit card data.

The Visbot author holds a private encryption key, which in combination with the public key, can decrypt the data, meaning no other crook can download the images extract credit card details, and steal the data.

There's a way to detect sites infected with Visbot

According to Willem de Groot, security analyst for Byte.nl, a Dutch web hosting company, the malware has an Achille's heel. In order for its creator to keep track of sites he infected, and see if they're still infected, he uses a special user agent.

This is also how other webmasters can check if their sites are infected with Visbot. They can do this by running the following Linux command:

curl -LH 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)' \  http://your-site.com

De Groot is also the founder of MageReport, a website that provides security audits for Magento sites. Store owners that can't access a Linux terminal can use MageReport to detect if their store is infected with Visbot.

MageReport now detects Visbot malware (which intercepts POST data). #magento #security https://t.co/SyaBtt3vsk pic.twitter.com/XX3xxlII6m

— Willem de Groot (@gwillem) November 30, 2016

According to a mass scan de Groot carried out two days ago, there were 6,691 Magento stores infected with this threat. The researcher said he contacted both hosting providers and authorities, who are now notifying affected store owners.

Visbot infections usually take place when a hacker gains access to a Magento store, either by brute-forcing connections or by leveraging vulnerabilities against unpatched websites. According to the Sucuri Hacked Website Trend Report, Magento is the third most hacked CMS after WordPress and Joomla.

Keeping a Magento store up to date and using strong passwords avoids infections with Visbot and other credit card stealers.

Visbot not the first Magento malware to use steganography

Visbot isn't the first malware that was seen hiding stolen credit card data inside image files. In October, Sucuri detected a similar Magento credit card stealer, but this one operated via malicious JavaScript client-side code embedded on the checkout page.

In the past month, Sucuri has detected two other malware families that target the Magento CMS. One was injecting a malicious redirect in the CMS' one-page checkout system, while the second also targeted the one-page checkout system, but also stole geo-location data on top of credit card details.

This isn't the first time when de Groot has sounded the alarm on Magento malware infections. In early October, the researcher conducted another Internet-wide scan and found over 5,900 Magento stores infected with different types of Magento malware. By December 1, over 2,300 of those stores had been fixed.