Magento 2 Under Attack: Unmasking the Persistent Skimmer Hiding in core_config_data

The Silent Threat: Persistent Skimming on Magento 2.4.6 Uncovered

In the dynamic world of e-commerce, security is not just a feature; it's the foundation of trust and business continuity. Magento, a powerful and flexible platform, unfortunately, remains a prime target for sophisticated cyberattacks. A recent GitHub issue (#40466) has brought to light a particularly insidious and persistent skimmer injection targeting a Magento 2.4.6 Community Edition store, exposing a critical hardening gap that every merchant needs to understand.

At Shopping Mover, we specialize in Magento migrations and understand the intricate security landscape of the platform. This incident serves as a stark reminder of the constant vigilance required to protect your digital storefront.

The Alarming Discovery: A Whack-a-Mole Battle

The issue author, Arsalanulhaq, reported a deeply troubling scenario: an unauthorized credit card payment method mysteriously appeared on their production Magento 2.4.6 checkout. This wasn't a simple misconfiguration. Further investigation quickly revealed a large, heavily obfuscated JavaScript script being injected and executed in the footer of all pages. What made this attack particularly concerning was its persistence; the attacker was continuously re-injecting the malicious payload every 2-3 days, forcing the merchant into a relentless, exhausting cycle of detection and removal.

This 'whack-a-mole' scenario is a nightmare for any e-commerce business, disrupting operations, eroding customer trust, and posing a significant risk of data breaches.

Deep Dive into the Attack Vector: Exploiting core_config_data

The heart of this compromise lay within Magento's database, specifically the core_config_data table. This table stores all system configurations, including design settings. The attacker had cunningly injected the malicious script into the design/footer/absolute_footer path for all store views. This path is intended for legitimate theme customizations, allowing administrators to add custom HTML or JavaScript to the site's footer. In this case, it became a backdoor for a sophisticated skimmer.

The injected script was designed for stealth. It was heavily obfuscated, making it difficult to analyze and detect using standard security tools. Here's a snippet of the observed payload, demonstrating its complexity:

This JavaScript decodes itself at runtime using Function(u83215)["call"]();, allowing it to dynamically inject and execute malicious code that hooks into the checkout process, captures payment card details, and sends them to an external server – the hallmark of a Magecart attack.

The Gravity of the Threat: Magecart and Skimming

This incident is a classic example of a Magecart attack, where cybercriminals inject malicious code into e-commerce websites to skim customer payment information. These attacks are particularly dangerous because they often go undetected for extended periods, silently siphoning sensitive data directly from your customers' browsers. The impact can be devastating: financial losses, severe reputational damage, loss of customer trust, and hefty fines for non-compliance with PCI DSS regulations.

Unmasking the Root Cause: Where Did the Attack Originate?

While the GitHub issue details the payload and its persistence, the initial attack vector remains unknown. This is often the most challenging part of a compromise. Potential entry points include:

• Weak Admin Credentials: Compromised or easily guessed admin passwords.
• Unpatched Vulnerabilities: Exploitation of known security flaws in Magento core, installed extensions (the store had numerous Amasty, Fooman, Mageplaza, Mirasvit, Smartwave, and other plugins), or the underlying server infrastructure (PHP, web server).
• Supply Chain Attacks: A compromised third-party extension or theme.
• Server-Level Compromise: Direct access to the server through SSH or other means.

The fact that the attacker could repeatedly inject the script suggests either a persistent backdoor or an unpatched vulnerability that was continuously exploited.

Immediate Actions for Compromised Stores

If you suspect your Magento store has been compromised by a skimmer, immediate action is paramount:

1. Isolate and Remove: Take your store offline or put it into maintenance mode. Immediately remove any suspicious scripts from core_config_data (paths like design/footer/absolute_footer, design/head/includes) and other potential injection points.
2. Change All Credentials: Reset all admin passwords, database credentials, server SSH keys, and API keys.
3. Scan for Malware: Use reputable security scanners to identify any other malicious files or backdoors.
4. Review Logs: Scrutinize server access logs, Magento logs, and database change logs for unusual activity.
5. Notify Customers & Authorities: Depending on the extent of the breach, you may be legally obligated to inform affected customers and relevant authorities.

Proactive Defense Strategies: Fortifying Your Magento Store

Prevention is always better than cure. Here's how to harden your Magento security:

• Stay Updated: As highlighted in the GitHub comments, the store was running Magento 2.4.6, which, while relatively recent, already had 13 security patches available (2.4.6-p13). Always apply the latest security patches and upgrade to the newest stable versions of Magento Open Source or Adobe Commerce. Magento 2.4.6's end-of-life is scheduled for August 11, 2026, making upgrades even more critical.
• Strong Security Practices: Enforce Multi-Factor Authentication (MFA) for all admin users, use strong, unique passwords, and adhere to the principle of least privilege.
• Code Integrity Monitoring (FIM): Implement File Integrity Monitoring (FIM) to detect unauthorized changes to your Magento codebase.
• Content Security Policy (CSP): Configure a robust Content Security Policy (CSP) to restrict which scripts can be executed on your site, significantly mitigating XSS and skimming attacks. The presence of Kunstt\Csp in the issue's plugin list indicates awareness, but proper configuration is key.
• Web Application Firewall (WAF): Deploy a WAF to filter and block malicious traffic before it reaches your application.
• Regular Security Audits: Engage security experts for periodic penetration testing and vulnerability assessments.
• Extension Management: Carefully vet all third-party extensions. Keep them updated, remove any unused ones, and ensure they come from trusted sources. A large number of extensions, as seen in the issue, can increase the attack surface.
• Database Monitoring: Implement monitoring for changes to critical database tables like core_config_data, especially paths related to design and script injection.

The Migration Imperative: A Secure Future with Shopping Mover

Staying on older, unpatched Magento versions significantly increases your risk exposure. As an e-commerce migration expert at Shopping Mover, we often see that security concerns are a primary driver for merchants considering a platform upgrade or migration. A migration to the latest version of Magento Open Source or Adobe Commerce is not just about new features; it's a golden opportunity to rebuild your store with a strong security posture from the ground up.

Our team can help you assess your current security landscape, plan a secure migration, and implement best practices to protect your business against evolving threats. Don't wait for a compromise to act. Proactive security is the best defense.

For a comprehensive security audit or to discuss a secure Magento migration, contact Shopping Mover today.