During a recent investigation, a new customer informed us that his antivirus had detected a suspicious domain loading on the payment page of his website. We regularly receive reports like these as they are a telltale indicator of a credit card skimmer infection.

Our research and remediation teams frequently find credit card skimmers on Magento websites, and more recently on WordPress – however, in this case the client was using a lesser known e-commerce solution known as X -Cart. W3techs.com estimates that X-Cart has a CMS market share of less than 0.1%, while they rank WordPress and Adobe-based platforms such as Magento with a market share of 64% and 1.6 % respectively.

In the spirit of security education, we will describe the process used to investigate and manually detect a credit card skimmer in a compromised X-Cart environment, as well as some steps you can take to mitigate the risk to your own websites.

X-Cart Credit Card Thief Manual Detection

Before we get started, it’s important to note that JavaScript-based credit card skimmers are loaded and executed by the web browser of the website visitor itself, and are often designed to capture sensitive form inputs and exfiltrate data to a remote server. As the exfiltration is performed on the visitor’s browser, it makes it easier to identify them from a skimmer that runs on the server side.

Almost all modern web browsers offer a developer tools feature, which can be used to get additional information about what exactly is happening when you visit a website. the Network The feature easily logs every request from your browser when visiting a given page – and using it, we can see what’s going on “in the background”.

Our client had already identified the malicious domain as hxxps://metahtmlhead[.]com, which gave us a starting point for our investigation. The next step was to identify malicious requests in our developer tools.

JavaScript malware can instruct third parties to exfiltrate sensitive data without the knowledge of the website visitor – unless they are monitoring their network traffic, in which case requests to a suspicious server are immediately clear:

Did you know? 
It’s not uncommon for JavaScript malware to detect the presence of having your browser’s developer tools open, and refuse to execute if so. You can combat this by using system network monitoring tools instead, or even by detaching the developer tools from your current browser window.

Once we identified the malicious request in our dev tools, we were able to check the initiator of the request in the same window to determine exactly which line of code the request came from.

While the initiator can usually be a file, such as /cart.php or /analytics.jsthe initiator in our case was VM338:1. The “VM” prefix generally indicates that the JavaScript was executed via the eval() function, a common tactic among malware writers. We can mouse over the initiator to see the execution chain.

For example, a eval() loading the statement from line 5 of a website’s index file would look like this:

Following the chain on suspicious requests loading on the client basket.php file, we have identified the infection loading from a eval() statement buried about 3,000 lines in the website’s HTML source code:

With the original code in hand, this allows us to search the website’s files and database to determine exactly where it is placed on the server. A search for the string eval(decodeURIComponent(‘(function gave results: this infection was added to a main X-Cart file with the path ./skin/common_files/check_cc_number_script.tpl.

The model file check_cc_number_script.tpl was originally intended to validate entered credit card details – to ensure, for example, that the CVV field was not left blank before payment was submitted. The attacker’s injection of malicious code into this file is all that is required for the website to send the credit card details entered in the payment page to a malicious server.

Automated detection and mitigation steps

There’s no doubt that manually detecting and removing a credit card skimmer can be a lot of work, and it’s not possible for a business owner to spend hours a day manually monitoring everything. which loads on its website.

If you’re looking for an automated solution, Sucuri’s website security monitoring regularly scans your environment for credit card skimming infections like these. Whenever issues are discovered, you will be immediately notified through our customizable alert system so investigation and resolution can begin.

For site owners who need a helping hand with cleanup, our website malware removal services can help you detect and remove credit card skimmers, backdoors, or other malicious infections found in your site environment.