Security Affairs reports that hacked Magento websites are having their swap files exploited by threat actors to facilitate the stealthy and persistent injection of a credit card skimmer.
Further examination of a breached checkout page revealed the inclusion of a suspicious script with base64 variables and hex strings that exfiltrate credit card information, as well as names and addresses via the querySelectorAll function, an analysis from Sucuri revealed. Researchers also discovered the usage of a "swapme" file reference in the script, which contained the malware also present in the bootstrap.php file. "It became evident that the attackers were leveraging a swap file to keep the malware present on the server and evade normal methods of detection," said researchers. Such findings should prompt the implementation of SSH, sFTP, FTP, and CPanel access restrictions, as well as the appropriate configurations for such restrictions. Organizations have also been urged to leverage website firewalls and updated CMS to prevent potential compromise.
