A Very Scary VirtueMart Exploit, or Something Else?

A new client called us a couple of hours ago and told us that he had a problem on the VirtueMart store on his Joomla website. He said that early in the morning a client called him and asked him about the status of his one week old order which he paid for through PayPal. Our client was perplexed, because he doesn’t have PayPal as payment method (he sells e-cigarettes and accessories on his online store, which means that he can’t transact through PayPal [PayPal doesn’t allow merchants selling e-cigarettes to transact through their system]). So, our client searched through the VirtueMart orders, and found an order matching that of his client (our client doesn’t use VirtueMart to see the orders, as he uses an application called ShipWorks to do that [which only lists orders that transact successfully through Authorize.net], that’s why he didn’t see that order before). To make a not-so-long story concise, the website made the sale, but someone else took the money.

We immediately investigated the issue, and we noticed the following:

  • The website was using the latest version of Joomla.
  • The website was using the latest version of VirtueMart.

  • The PayPal VirtueMart plugin was installed on the website, and it was configured to accept money to someone with a French email address (the email ended with .fr). The fraudulent orders totaled a tad over $200.

  • There was a weird super user with an even weirder registration date. That user never logged in to the website (according to Joomla anyway).

In order to address the problem, we did the following:

  • We uninstalled the PayPal plugin (we took note of the fraudulent email account first and forwarded it to the client).
  • We removed the weird user from Joomla.

  • We changed the password for the following: the Joomla super user, the cPanel account, the FTP account, and the MySQL database powering the Joomla website.

  • We scanned the website for viruses/backdoors (there were none).

  • We installed our own firewall on the Joomla website.

So, what caused this problem?

We don’t know (we weren’t commissioned to do so), but we have the following theories in our mind:

  • The client did not update the Joomla website to 3.6.4 immediately, so his website suffered from the elevated permissions exploit for a while before updating it, and during that time, someone registered the weird Joomla super user, and used it to install and configure the PayPal plugin. This is a weak theory, however, because the weird Joomla account was never used.
  • Someone knew the super user password, and used it to install the PayPal plugin and configure it. This is a plausible theory because the super user password was super easy.

  • An attacker used a hidden exploit in VirtueMart and installed that plugin. This is improbably but not impossible, and if it is true, then many e-commerce shops are at risk.

We can’t be really sure of the root cause of this problem (we were not commissioned to investigate further), but we’re leaning towards the simple theory, which is the second theory, where someone knew the super user password and used it to install and configure the VM PayPal plugin.

If you’re running a VirtueMart powered online store, then we suggest you verify your payment settings; the prospects of someone changing the payment information on your website to his own are really terrifying. If you found something fishy on your website and you need help, then please contact us. We will clean your website, we will protect it, and we won’t charge you much.

No comments yet.

Leave a comment