Reports of a new Javascript Malware Issue in Magento have been posted on the Magento Security news website, it would appear that the exploit allows the attacker to extract credit card information by forwarding the information from your sites checkout pages to a remote site.

Which Magento Sites are Affected?

It would appear that most of the affected sites are those where the Shoplift Patch from February of 2015 was not applied or the site was compromised prior to the patch being implemented. Attackers can of course also get admin access to your website via weak passwords, phishing and other un-patched security vulnerabilities, so please ensure you have your Magento store fully patched and ideally running the latest possible version.

How to check if your Magento Site is affected:

There is a quick test you can perform to check if your site has been compromised in this particular instance, using a web browser for instance Google Chrome navigate to the main page of your website and open the source code view and search for the following strings in the HTML source code:

    • eval(atob(
    • regexp(‚Äúcheckout
    • Regexp(‚Äòcheckout
    • Regexp(‚Äúonepage
    • Regexp(‚Äòonepage
    • Regexp(‚Äúonestep
    • Regexp(‚Äòonestep

Note: the case of those strings can be different (e.g regexp, RegExp, etc.)

Even if you do not find the above strings in your HTML output it is still worth just manually checking your Magento configuration, and also make sure that all Magento patches have been applied and your system is up to date.

There are other checks that it is highly recommended that you should make, see the following page: New Magento Javascript Malware.