Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Injecting Magecart into Magento Global Config

At the beginning of June 2020, we were contacted about a breach of a website using the Magento framework that caused a leak of credit card numbers. A thorough analysis of the website identified the webpage’s footer had malicious code added to it.

Figure 1. Malicious Script Injected in the Footer Section of the Compromised Magento Webpage


We found that the Magento's cached CONFIG_GLOBAL_STORES_DEFAULT file also contains the same malicious code.

Figure 2. Magento configuration located at /var/cache within Magento installation directory was also infected


On the compromised web server, we also found an Adminer PHP file – a readily available tool used to remotely manage SQL databases such as MySQL. We will get back to this later on why the attacker used this tool.

Malicious Code Analysis

Before we proceed on how the malicious code got into the compromised webpage’s footer, let us first see what the malicious code does.

The malicious JavaScript code is a very long string, encapsulated inside a <div> HTML element tag starting with this code:

<div style="position:fixed;top:0;left:0;width:100%;height:100%;" onmouseover="(function (){MALICIOUS JAVASCRIPT TRUNCATED}..


Then a “style” attribute is used to define the <div> element’s position, with 100% width and 100% height. This means that the element covers the entire page's scale and that it will execute the malicious JavaScript once the mouse moves over the webpage.

Towards the end of the string you will see:

'var d1;d1 = eval('doc' + 'ument');d1.getElementById('qwe123').parentNode.removeChild(d1.getElementById('qwe123'))" id="qwe123"'

Below is a breakdown of this code:

var d1;
d1 = eval('document');

getElementById - This method returns the information from the element 'qwe123'
parentNode.removeChild - Returns the removed child node from the Document Object Model (DOM) tree but keeps it in the memory, which can will use later

This piece of code is used to hide itself by removing the whole <div> element encapsulating the malicious JavaScript, after the main malicious JavaScript is executed or attempting to conduct live analysis on the code via something like a browsers Dev mode.

The bulk of the rest of the code is highly obfuscated. But after de-obfuscating and prettifying the code, we can clearly see what the JavaScript does.

Figure 3. De-obfuscated Javascript encapsulated inside the <DIV> element


The de-obfuscated code shown in Figure 3 monitors HTML elements including:  inputselectformbutton. This code is very dangerous especially when injected into a web store’s check out page. Once a customer enters information into the page and clicks anywhere else, it begins to iterate all of the monitored elements from the HTML form for user inputs. The collected data are then joined together to form one string of URL encoded parameter format. For example:


Credit card data are also checked and validated using the Luhn algorithm and appended in the string as parameter variable “cc”.

From this point, collected data is exfiltrated to the attacker's host tunneled through an HTTP GET parameter.{random}&{exfiltrated data}&cc={credit card number}

Footer Infection

So how did the JavaScript get injected into the webpage’s footer? Short answer, Magento’s global configuration.

Magento’s global configuration plays an important role in an online store that uses the Magento framework. This is where a Magento administrator configures different scopes in the framework, including catalogs, reports, customer configuration, web theme/design, among others.

However, this configuration can be easily manipulated after the webserver gets compromised

The screenshot below shows Magento’s design configuration page, where an admin can set the Footer section of the webpage. The footer specifically defines the Copyright notice. But we can also add a <script> element into this field.

Magento Config UI
Figure 4. Magento's Design Configuration Page


And once this is cached by Magento, the copyright notice including the script gets injected to every page of the Magento website:

Injected code
Figure 5. Copyright notice including the <script> element we added is injected to every page of the website


We mentioned earlier that the attacker used a SQL management tool called Adminer on the compromised web server. The attacker used adminer.php in the server and pointed it to the attacker's own MySQL database. The tool has a vulnerability that allows bypassing the login screen for adminer.php by using the attacker’s database credentials. Once logged in, the attacker can access the compromised webserver’s local database instead of the attacker’s database. The attacker then leverages the information gained from the database to access the admin portion of the Magento website. The attacker may then potentially directly access and modify the Magento configuration from the database.

Figure 6. Using Adminer to edit Magento Configuration


How the web server got compromised is still being investigated. But looking at the access.log, we saw that other individuals had been scanning for iterations of adminer.php both before and after the attack. Also, the customer was using an old version of Magento (specifically version and there are more than a dozen known security vulnerabilities that affect this version.


This attack shows the relative ease in which a Magento system can be compromised to inject malicious JavaScript into web pages.  The only reliable way of preventing Magecart is to detect, fix, and harden the security of websites. There are currently a few tools online that can help with these three steps:



Additional Reading

Latest SpiderLabs Blogs

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Guardians of the Gateway: Identity and Access Management Best Practices

This is Part 10 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More