Statistically, nearly 6,700 Magento online stores running on top of Magento platform infected with Visbot malware which hides on web servers, steals credit card information and then encrypts it, hides it inside an image and sends the encrypted credit card data to a crook’s servers afterward.
Visbot is not a new threat, it was discovered in late March 2015 by SnapFast; however, it still causes many damages to online websites as well as threats the customers of these websites.
This malware has still kept a low profile because it is very hard to detect its infections, and not many site owners have been able to detect anything wrong in the first place.
Visbot is different and hard to detect
Different from other Magento malwares, which collects credit card, Visbot doesn’t work on the site’s frontend, via code exposed to researchers and end users, it only works with server-side code, never exposing itself. Only webmasters can discover Visbot infections but they just can find it in the first place.
This malware attacks users by waiting for them credit card data, intercepting it on the server-side, and then Visbot takes this data, using a public encryption key to encrypt this data.
Visbot uses steganography to steal data
Visbot will use steganography technique to pack the encrypted data inside an image file. And this image will be left in one of the site of public folders, and the malware author retrieves it at regular intervals. If sites are running firewalls, all they see is a user downloading an image, a very common occurrence, especially on e-commerce stores.
These are the names of the files where Visbot usually hides stolen credit card data:
bkg_btn-close2_bg.gif btn_back_bg_bg.gif btn_cancel_bg_bg.gif left_button_back.gif mage.jpg nav1_off_bg.gif notice-msg_bg.png section_menu_link_bg_bg.gif sort-arrow-down_bg.png
The father of Visbot owns a private encryption key which is combined with the public key can encrypt data. It means excepting the author of Visbot, no one can download the images extract credit card details and steal data.
How to detect sites infected with Visbot?
To keep track of sites infected and see whether they are still infected, the author of Visbot will use a special user agent.
This is also how other webmasters can check if their sites are infected with Visbot. They can do this by running the following Linux command:
curl -LH 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;email@example.com)' \ http://your-site.com
Visbot infections usually take place when a hacker gains access to a Magento store, either by brute forcing connections or by leveraging vulnerabilities against dispatched websites.
You should keep your Magento store undated and use strong passwords in order to avoid Visbot infections and other attacks. Besides, referring solutions for security website is a preferred way helping you prevent your Magento website better.