New breeds/chains of malware are constantly being developed to steal payment card data and we are in a fortunate position in that we get to see a lot of that malware early on - through forensic investigations or through our FGX-Web service. 

Previously we have witnessed JavaScript malware which monitors all input fields and checks to see if there are any numerical values that match the length of a card number using a regular expression - a highly effective payment card harvester.

However, recently we are seeing the old malware being regenerated in order to go undetected via anti-malware scanners provided by many organisations, storing the malware in places which is harder to detect, meaning more advanced scanning methods are required. This malware is typically stored in the database of Magento installs meaning that typical anti-malware solution will not identify the malware (as it is in the database and most website anti-malware scanners scan the files system, not the database) and neither will File Change Monitoring pick up a change to the website file system. 

FGX-Web Protect's anti-malware scanning features are one of the industry's only anti-malware scanners currently able to detect this malicious JavaScript both externally and internally. 

We have made this scanner available for free - check your website to see if it is currently hiding this malware by using our external scanner WebScan.

With this new malware we are also seeing the typical regular expression which identifies a card number being replaced with a pseudo payment form which customers are then tricked into filling out before the completing their order. The malicious JavaScript then pulls down the harvesting script from an external server which it uses in order to pull the relevant customer card data form the pseudo form which it then sends off to be harvested externally, "cloud harvesting" you could also call it.

Read more about this Cloud Harvesting technique on our blog.