Manual identification of an X-Cart credit card skimmer
During a recent investigation, a new customer informed us that his antivirus had detected a suspicious domain loading on the payment page of his website. We regularly receive reports like these as they are a telltale indicator of a credit card skimmer infection.
Our research and remediation teams frequently find credit card skimmers on Magento websites, and more recently on WordPress – however, in this case the client was using a lesser known e-commerce solution known as X -Cart. W3techs.com estimates that X-Cart has a CMS market share of less than 0.1%, while they rank WordPress and Adobe-based platforms such as Magento with a market share of 64% and 1.6 % respectively.
In the spirit of security education, we will describe the process used to investigate and manually detect a credit card skimmer in a compromised X-Cart environment, as well as some steps you can take to mitigate the risk to your own websites.
X-Cart Credit Card Thief Manual Detection
Almost all modern web browsers offer a developer tools feature, which can be used to get additional information about what exactly is happening when you visit a website. the Network The feature easily logs every request from your browser when visiting a given page – and using it, we can see what’s going on “in the background”.
Our client had already identified the malicious domain as hxxps://metahtmlhead[.]com, which gave us a starting point for our investigation. The next step was to identify malicious requests in our developer tools.
Once we identified the malicious request in our dev tools, we were able to check the initiator of the request in the same window to determine exactly which line of code the request came from.
For example, a eval() loading the statement from line 5 of a website’s index file would look like this:
Following the chain on suspicious requests loading on the client basket.php file, we have identified the infection loading from a eval() statement buried about 3,000 lines in the website’s HTML source code:
With the original code in hand, this allows us to search the website’s files and database to determine exactly where it is placed on the server. A search for the string eval(decodeURIComponent(‘(function gave results: this infection was added to a main X-Cart file with the path ./skin/common_files/check_cc_number_script.tpl.
The model file check_cc_number_script.tpl was originally intended to validate entered credit card details – to ensure, for example, that the CVV field was not left blank before payment was submitted. The attacker’s injection of malicious code into this file is all that is required for the website to send the credit card details entered in the payment page to a malicious server.
Automated detection and mitigation steps
There’s no doubt that manually detecting and removing a credit card skimmer can be a lot of work, and it’s not possible for a business owner to spend hours a day manually monitoring everything. which loads on its website.
If you’re looking for an automated solution, Sucuri’s website security monitoring regularly scans your environment for credit card skimming infections like these. Whenever issues are discovered, you will be immediately notified through our customizable alert system so investigation and resolution can begin.
For site owners who need a helping hand with cleanup, our website malware removal services can help you detect and remove credit card skimmers, backdoors, or other malicious infections found in your site environment.