Magento hosting provider Nexcess has uncovered a new exploit where Magento core files have been changed to allow credit card data to be copied during the checkout process.
According to a blog post by Nexcess last week, the exploit was uncovered when it was recently contacted by a client regarding a Common Point of Purchase Investigation initiated by a credit card user. Its security team began an internal investigation to find the cause of the fraudulent activity on the client’s account.
The exploit allows hackers to log the skimmed credit card data to a fake image file located in the media folder, and then download these files from a remote server.
While only 39 of its customers’ sites were impacted by the exploit, Nexcess is warning Magento users to check and see if their site has been compromised and take steps to correct the issue. According to Nexcess, there are a number of ways to check for a problem including looking for fake image files.
The exploit comes shortly after Magento shut down two of its ecommerce products designed for small and mid-sized retailers, giving customers of its Magento Go and ProStores products until Feb. 1, 2015 to transfer their stores to a new ecommerce platform.
Nexcess said it contacted affected clients before the credit card processing companies detected the problem.
“If you are hosted with us and have not been contacted by our security team regarding this issue, then we believe your site has not been affected by this exploit. We are committed to the safety and security of your data and we take these issues very seriously. As a precaution, we are running hourly scans of our infrastructure to detect any further compromises.”
Nexcess is sharing more information about the nature of the exploit on its blog, but said that all of the exploited sites had a remote PHP shell in them, which provided the attacker a backdoor to the site.
If a site has been compromised, Nexcess suggests users quarantine the affected files, change admin passwords in Magento, alert the credit card processing company of the breach and let their hosting provider know about the breach.