, , ,

Visbot Malware- a Vital Threat to Magento based Online Stores

Attention! All the Magento users, the websites or Online Stores are often hit by a Malware named Visbot. It hides on web servers & steals credit card information then it will encrypt it, hide it inside an image and then it will send the encrypted credit card data to a crook’s servers thereafter.
Visbot was first discovered in late March 2015 by SnapFast, a hosting company. The malware has managed to keep a low profile because it is difficult to detect Visbot infections, and not many site owners have been successful in detecting anything wrong in the first place.
Visbot uses steganography to steal data
The encrypted data that is hidden inside an image file is done using a technique known as steganography, the technique to hide text-based data inside the image files. Visbot will then leave that image in some site’s public folders, and then the malware author will get access to those files at regular intervals from that folder. This is how they manage to hide from the eyes of the protectors.

Visbot usually hides stolen credit card data in an image with names that are mentioned below:
Bkg_btn-close2_bg.gif
btn_back_bg_bg.gif
btn_cancel_bg_bg.gif
left_button_back.gif
mage.jpg
nav1_off_bg.gif
notice-msg_bg.png
section_menu_link_bg_bg.gif
sort-arrow-down_bg.png

The Visbot author holds a private encryption key and when that key is combined with the public key, the author can then easily decrypt the data.
How to detect sites infected with Visbot?
Willem de Groot a security analyst for Byte.nl, the malware has an Achille’s heel. The site owners can detect Visbot by running the following Linux command:
“curl -LH ‘User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)’ \ http://your-site.com”
Or you can visit MageReport, a website that provides complete security checks for Magento based sites. Those who can’t access a Linux terminal can use MageReport to detect if their store is infected with Visbot or not.

Till now, there were 6,691 Magento stores infected with Visbot threat. The affected store owners are now being contacted.
Visbot can infect your website when a hacker gains access to the store, either by brute-forcing connections or by taking advantage of vulnerabilities built in unpatched websites. Thus, we advise all our clients to keep their Magento store up to date and also suggest to use strong passwords to avoid infections like Visbot or other credit card stealers.