Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Injecting Magecart into Magento Global Config

At the beginning of June 2020, we were contacted about a breach of a website using the Magento framework that caused a leak of credit card numbers. A thorough analysis of the website identified the webpage’s footer had malicious code added to it.

Figure 1. Malicious Script Injected in the Footer Section of the Compromised Magento Webpage


We found that the Magento's cached CONFIG_GLOBAL_STORES_DEFAULT file also contains the same malicious code.

Figure 2. Magento configuration located at /var/cache within Magento installation directory was also infected


On the compromised web server, we also found an Adminer PHP file – a readily available tool used to remotely manage SQL databases such as MySQL. We will get back to this later on why the attacker used this tool.

Malicious Code Analysis

Before we proceed on how the malicious code got into the compromised webpage’s footer, let us first see what the malicious code does.

The malicious JavaScript code is a very long string, encapsulated inside a <div> HTML element tag starting with this code:

<div style="position:fixed;top:0;left:0;width:100%;height:100%;" onmouseover="(function (){MALICIOUS JAVASCRIPT TRUNCATED}..


Then a “style” attribute is used to define the <div> element’s position, with 100% width and 100% height. This means that the element covers the entire page's scale and that it will execute the malicious JavaScript once the mouse moves over the webpage.

Towards the end of the string you will see:

'var d1;d1 = eval('doc' + 'ument');d1.getElementById('qwe123').parentNode.removeChild(d1.getElementById('qwe123'))" id="qwe123"'

Below is a breakdown of this code:

var d1;
d1 = eval('document');

getElementById - This method returns the information from the element 'qwe123'
parentNode.removeChild - Returns the removed child node from the Document Object Model (DOM) tree but keeps it in the memory, which can will use later

This piece of code is used to hide itself by removing the whole <div> element encapsulating the malicious JavaScript, after the main malicious JavaScript is executed or attempting to conduct live analysis on the code via something like a browsers Dev mode.

The bulk of the rest of the code is highly obfuscated. But after de-obfuscating and prettifying the code, we can clearly see what the JavaScript does.

Figure 3. De-obfuscated Javascript encapsulated inside the <DIV> element


The de-obfuscated code shown in Figure 3 monitors HTML elements including:  inputselectformbutton. This code is very dangerous especially when injected into a web store’s check out page. Once a customer enters information into the page and clicks anywhere else, it begins to iterate all of the monitored elements from the HTML form for user inputs. The collected data are then joined together to form one string of URL encoded parameter format. For example:


Credit card data are also checked and validated using the Luhn algorithm and appended in the string as parameter variable “cc”.

From this point, collected data is exfiltrated to the attacker's host tunneled through an HTTP GET parameter.{random}&{exfiltrated data}&cc={credit card number}

Footer Infection

So how did the JavaScript get injected into the webpage’s footer? Short answer, Magento’s global configuration.

Magento’s global configuration plays an important role in an online store that uses the Magento framework. This is where a Magento administrator configures different scopes in the framework, including catalogs, reports, customer configuration, web theme/design, among others.

However, this configuration can be easily manipulated after the webserver gets compromised

The screenshot below shows Magento’s design configuration page, where an admin can set the Footer section of the webpage. The footer specifically defines the Copyright notice. But we can also add a <script> element into this field.

Magento Config UI
Figure 4. Magento's Design Configuration Page


And once this is cached by Magento, the copyright notice including the script gets injected to every page of the Magento website:

Injected code
Figure 5. Copyright notice including the <script> element we added is injected to every page of the website


We mentioned earlier that the attacker used a SQL management tool called Adminer on the compromised web server. The attacker used adminer.php in the server and pointed it to the attacker's own MySQL database. The tool has a vulnerability that allows bypassing the login screen for adminer.php by using the attacker’s database credentials. Once logged in, the attacker can access the compromised webserver’s local database instead of the attacker’s database. The attacker then leverages the information gained from the database to access the admin portion of the Magento website. The attacker may then potentially directly access and modify the Magento configuration from the database.

Figure 6. Using Adminer to edit Magento Configuration


How the web server got compromised is still being investigated. But looking at the access.log, we saw that other individuals had been scanning for iterations of adminer.php both before and after the attack. Also, the customer was using an old version of Magento (specifically version and there are more than a dozen known security vulnerabilities that affect this version.


This attack shows the relative ease in which a Magento system can be compromised to inject malicious JavaScript into web pages.  The only reliable way of preventing Magecart is to detect, fix, and harden the security of websites. There are currently a few tools online that can help with these three steps:



Additional Reading

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More