Magento Sites Hit by Stealthy Credit Card Skimmer Using Swap Files

Threat actors have been observed using swap files on compromised websites to conceal a persistent credit card skimmer and steal payment information.

This stealthy technique was identified by Sucuri on a Magento e-commerce site’s checkout page, enabling the malware to persist through multiple cleanup attempts, according to the company.

The skimmer captures all data entered into the credit card form on the website and exfiltrates the details to an attacker-controlled domain, “amazon-analytic[.]com,” which was registered in February 2024.

“Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors to evade detection,” security researcher Matt Morrow said.

One of the many evasion methods used by the threat actors includes utilizing swap files (“bootstrap.php-swapme”) to load malicious code while keeping the original file (“bootstrap.php”) clean.

“When files are edited directly via SSH, the server creates a temporary ‘swap’ version in case the editor crashes, preventing data loss,” Morrow explained. “The attackers leveraged a swap file to keep the malware on the server and evade typical detection methods.”

The initial access method in this case is unclear, but it is suspected to involve SSH or another terminal session.

Meanwhile, compromised administrator accounts on WordPress sites have been used to install a malicious plugin disguised as the legitimate Wordfence plugin. This rogue plugin creates fake admin users and disables Wordfence while misleadingly showing that everything is functioning correctly.

Security researcher Ben Martin noted, “For the malicious plugin to be placed on the site, it must have already been compromised. However, this malware can serve as a reinfection vector.” The malicious code targets WordPress admin pages with ‘Wordfence’ in the URL.

Site owners are advised to restrict common protocols like FTP, sFTP, and SSH to trusted IP addresses and keep content management systems and plugins up-to-date. Enabling two-factor authentication (2FA), using a firewall to block bots, and enforcing additional wp-config.php security measures such as DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS are also recommended.