<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=247202&amp;fmt=gif">
  • Blog >
  • Malware on magento what to do how to stay safe

Malware (malicious software) that skims card details from customers has compromised thousands of unsecure Magento-based e-commerce businesses in 2018.

The breach was first noticed in late August, but is believed to have been impacting businesses for the last 6 months, with attackers planting skimmers on over 7000 stores to date.


The average recovery time is a few weeks, but at least 1,450 stores have hosted the MagentoCore.net parasite during the full past 6 months.

- Gwilliam


It is of immediate concern to address any malicious code that may have infiltrated your e-commerce website. By understanding the potential danger and establishing clear auditing and update processes, you can rest assured that your business, customers and reputation are secure. Here's what we recommend:

How Malware works

The attackers gain access to the control panel of the Magento Store. This access takes advantage of security holes or compromised accounts, using malware or brute-forcing to gain entry.

The offending individuals then access the site’s source code and add malicious script, hosted by the hackers server, into the code.  

This script skims (records) all customer details input on the website, before sending this personal information to the ‘magento.net’ server, registered in Moscow.

The malware is also disguised by a recovery mechanism that deletes the script, without a trace, after a certain period of time. On Magento specifically, this takes the form of a backdoor to cron.php, allowing malware to download malicious code before covering its tracks.

Gwillem also shared the following details on the specific names of the malware and accounts:

The file clean.json is PHP code that removes any competing malware from the site, searching for ATMZOW, 19303817.js and PZ7SKD.

The file clear.json changes the password of several common staff user names to how1are2you3.

See the full list on his original post

What information is stolen?

You customers’ names, bank details attached to their payment card, and any other information directly typed into your website can be skimmed from the site by this malicious code.


What to do next

Contact your development team straight away and alert them of the potential issue. They will be able to scan your site’s code for the malware, to see if you’re at risk.

If nothing is found, begin a security update immediately to ensure that you aren’t at risk for future attacks.

8236_Security_Scan_Tool_Announcement_Blog_Image_R1 Magento offer a Security Scan Tool

If malware is found, we recommend your team takes the following steps:

1. Secure the site from any more attacks

Analyse backend logs against staff IPs and working hours to find where or when the breach may have occurred. If no anomalies are found, it could be that a staff computer has become infected and the hacker has hijacked the authorized session.


2. Find and close access to the malware or tampered code

Scan both back-end and front-end code for unauthorized changes, or backdoors where the malware could be attacking from.


3. Remove the offending malware

To do this you must remove the backdoors and unauthorised changes to your codebase. You should be conducting regular backups to your website. If you have a secure backup in place, revert to the last confirmed safe version straight away.

If you cannot restore from a backup and need to crawl the code for manual removal, the first place to look should be default or global headers and footers, as these are often where the malicious code is stored. It can also be in static minimised Javascript files, hidden deep in the code base. In this case, you must check all HTML/JS assets loaded during the checkout process, or any point where personal information is entered by customers.


4. Inform your customers of the breach.

Of course, no one wants to scare consumers or risk their business reputation, but it is vital to identify any customers whose data may be at risk and to inform them. In the climate of a post-GDPR society, online businesses should aim to present a trustworthy, honest and compliant company process to their valued client-base.


5. Re-evaluate your Security Policy

The best defence is a good offence. As a retailer trading online, your business should already be conforming to the standards laid out in the Payment Card Industry Data Security Standard (PCI-DSS) specification. This includes defining a robust disaster recovery and reporting process, laid out to deal with data breaches and site outages. Conformance to the aforementioned standards, combined with a service to patch, maintain and scan your website on an ongoing basis will help to ensure your platform is locked down against ant known vulnerabilities.

A secure, up-to-date site is extremely difficult for this kind of malware to manipulate. After conducting an audit of our clients’ sites, built and maintained by Magento-certified developers, we were happy to confirm no malware was detected anywhere.



If your team isn’t equipped to deal with the attack, or you’d like a second option for peace of mind, we’re here to help. Our experience across multiple industries, including omnichannel retailers and the security-conscious Public Sector, means we have the latest security knowledge and can detect breaches for all complexities of digital solutions.

Get in touch now for a free consultation about the security of your site.

We can help you
● ● ●