Hackers Abuse Swap File In Shopping Sites To Inject Credit Card Skimmer

Since the Swap file stores data that the system’s RAM cannot hold, these contents often contain critical data like passwords, encryption keys, and session data, due to which hackers often target Swap files.

So, hackers can access and extract essential data by exploiting the Swap file without needing direct access to the system’s active memory.

A recent investigation by the researchers at Sucuri has shown that it is possible to exploit a website’s swap file to create a persistent credit card skimmer on the Magento e-commerce platform.

Hackers Abuse Swap File

This ingenious method allowed the malware to survive multiple removal attempts.

On the checkout page, there was a security compromise regarding source code; some malicious scripts with such signs as binary and hexadecimal converted characters were found.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Decoding these files revealed an intention to capture credit card information, which means that threat actors might turn even harmless system parts into criminal tools.

When a compromised checkout page has a malicious script, a custom-bound button can capture credit card data.

Sensitive information such as card details, name, and address is collected using querySelectorAll.

It used to be associated with credit card theft in February 2024, as well as the domain amazon-analytic[.]com that was registered then.

Besides this, threat actors can use popular brand names to avoid recognition, and this is an example of their tactics.

In a Magento site, the bootstrap.php file had been compromised and contained a credit card skimmer that was base64 encoded but persisted even after deleting and restarting.

The cause of this was an unseen trade file named bootstrap.php-swapme which came about due to SSH editing.

This method enabled the malware-infected system to escape detection and survive all clean-up actions.

Attackers used the swap file mechanism to keep themselves embedded in the server. After removing this hidden swap file and clearing caches, the checkout page became clean, reads the Sucuri report.

To highlight the need for comprehensive security measures, persistent swapping files get exploited by malware.

For instance, SSH likely initiated this attack, consequently stressing the significance of restricting administrative access to trusted IPs.

Some crucial precautions involve deploying a website firewall, regularly updating content management systems and plugins, and restricting access to admin panels.

If you don’t want to do it yourself, then you can use professional cleanup services or DIY guides to help you clean infected sites.

This illustrates how the threat actors exploit hidden functionality in systems, highlighting the need for e-commerce environments with multiple layers of security.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.