Blog
The Antropy OpenCart Blog
Checkout Page Malware - A Real OpenCart Hack We Investigated
When a checkout page gets compromised, it's one of the most serious issues an eCommerce store can face. Recently, we were contacted to investigate exactly that; a live malware infection that was actively attempting to steal customer payment data.
What we uncovered was far more sophisticated than a simple infected file upload.
The First Red Flag: Confirmed Fraudulent Charges After Checkout
The client initially reached out with a deeply concerning email:
“Customers are seeing fraudulent charges on their new cards... Us being the only shop they have used!”
At this point, the issue moved beyond suspicion and into a potential data breach scenario.
In cases like this, fraudulent card activity is often traced back to malicious scripts injected into checkout pages. These scripts are designed to silently intercept sensitive form data during the checkout process, including:
- Cardholder details
- Billing information
- Login credentials
Because checkout pages handle the most sensitive data on an eCommerce site, they are a prime target for attackers.
At this stage, the immediate priority was to confirm whether the checkout page had indeed been compromised & was actively leaking customer data.
The Discovery: Hidden Credit Card Stealing JavaScript
After inspecting the front-end source code of the checkout page, we quickly found the issue.
A malicious JavaScript snippet had been injected directly into the page output, which:
- Captured form input data at checkout
- Intercepted account login details
- Exfiltrated sensitive data off-site
The stolen data was being sent to a Telegram bot endpoint. This effectively meant customer data was being siphoned off in real time.
Multiple Entry Points: This Was Not a Single Vulnerability
Once we confirmed active data exfiltration, we expanded the investigation across the entire OpenCart installation.
What we found suggested multiple persistence points:
1. Unauthorised File Managers
We discovered file manager tools in several unexpected locations:
- Admin directory
- Catalog directory
- Various Image directories
These tools are commonly abused by attackers because they allow:
- Direct file uploads
- Remote code execution
- Persistent backdoors
In a clean OpenCart installation, these should not exist outside of controlled admin access - and certainly not duplicated in public-facing directories.
2. Malware Hidden in Theme Editor Entries (Unusual Case)
One of the more unusual findings in this case was malware embedded inside Theme Editor content entries.
This is something we rarely see.
Attackers had injected malicious JavaScript directly into theme configuration data, meaning:
- It survived normal file scans
- It rendered as part of legitimate theme output
- It blended in with trusted design elements
This made it significantly harder to detect without manually reviewing database-stored theme content.
This took me quite a while to locate as Theme Editor adjustments aren't present in the cache. Meaning the only way to find them was to look in the database.
The Likely Impact: Checkout Data Exposure
Given the nature of the script and its placement, the potential impact included:
- Customer payment details being intercepted during checkout
- Account credentials being stolen
- Email addresses being harvested for further attacks
- Silent data exfiltration with no visible site breakage
In many cases like this, the store continues operating normally while data theft happens in the background.
Immediate Actions We Took
Once the compromise was confirmed, we focused on containment and investigation rather than simple cleanup.
1. Host and Security Team Involvement
We advised the client to immediately engage:
- Their hosting provider
- A dedicated security specialist team
This is critical because malware of this type often indicates deeper server-level compromise or repeated reinfection risk.
2. Log Analysis (Raw Access Logs)
I then reviewed raw access logs to identify any IP addresses that made attempts to access the remote file managers.
This data is essential for:
- Blocking attacker IPs at server or firewall level
- Identifying intrusion patterns
- Preventing reinfection during cleanup
Important Note: We Do Not Host This Website
It's important to clarify that we do not provide hosting for this particular client.
Our involvement in this case was strictly limited to:
- Malware investigation
- Identifying injected scripts and persistence mechanisms
- Security analysis and guidance
- Advising on remediation steps
Once the issue was reported to us, we assisted in identifying and cleaning up the infection based on the access and information provided.
What This Case Teaches Us About OpenCart Security
This incident highlights a few important realities for OpenCart store owners:
- Malware is often injected into database-driven content, not just files
- Attackers frequently use Telegram or similar services for stealthy data exfiltration
- File managers are a common persistence tool if left exposed
- The Theme Editor can be abused as harder-to-identify injection points
- Your server security needs to be top-tier and constantly reviewed and improved
Final Thoughts
This wasn't a basic defacement or broken website - it was a targeted attempt to quietly steal customer payment data without disrupting the storefront.
If anything positive came from this investigation, it's that it was caught early enough to prevent wider damage.
For OpenCart store owners, the key takeaway is simple:
If your checkout page behaves even slightly strangely, treat it as a potential security incident immediately.
Have any of your encountered malware on your sites recently? If so, let us know the details below.
Want us to take a look over your site? Contact us here