March 16, 2016
We recently received reports of a new malware that appears to capture information from all fields of the checkout process, including credit card information. Attackers are likely using Admin or database access to implement the exploit. We do not have specific information on how the attackers are gaining Admin access, but it is common for them to guess weak passwords, target unpatched sites, or use Admin accounts they may have set up before a site was patched.
We recommend that you run a scan on magereport.com to determine if you are at risk for a “Credit Card Hijack” and check to see if you have any unknown Admin accounts. You can also review your code for the malware. Our investigations indicate that the malware typically includes the text, “onepage|checkout” and resides in one of two places:
Admin->Configuration->General->Design->HTML Head->Miscellaneous Scripts, or
Admin->Configuration->General->Design->Footer-> Miscellaneous HTML
If you are infected, please take immediate steps to remove this malware and review your code for any other changes of unknown origin. As per best practices, you should also remove any unknown Admin accounts and update all Admin passwords to prevent further access to the site.
This is another reminder of the importance of following strong security practices. Please review and follow the security best practices posted on the Magento Security Center.