SnapFast discovers new “mage.jpg” malware

Today we are featuring Winston from SnapFast, a Magento optimized hosting provider, which would like to alert our readers for a newly discovered Magento malware which is, very descriptively, called the “mage.jpg” malware.

Why the mage.jpg malware?

When the hack (which manifests in

<span class="text">app/Mage.php</span>

) intercepts payment details such as credit card numbers and billing addresses, it encrypts the data and saves it as a fake mage.jpg file in the Magento root directory. This file can later be downloaded, decrypted, and used for no good. The malware even includes a clever way for the hackers to remotely delete the mage.jpg file after they’ve downloaded its contents. This way, they can reduce the trace left behind and thus the chances of being discovered. There are multiple ways that this – and other – malicious code could be injected into a Magento installation. In the article, SnapFast covers a few ways (think malicious third party modules or a compromised server) that would-be hackers could potentially use to inject this or similar malicious code into your Magento installation. If it has been a while you have verified the integrity and security of your Magento installation and its environment, this might be a good time to do it.

More details

For full details about the hack and to view the source code, visit the original article on the SnapFast blog which contains all the details. If you’ve ever had to deal with a hack or malware infecting your Magento store, please leave a comment below and let us know the details!