Beware Compromised Shopping Carts

I think many people have stumbled upon "less than secure" sites which claim to have a secure checkout. I can't even count how many times I've looked for some obscure items on the web and have come across a website which just seems a bit off.

Yesterday I received a Snort alert which I often see on a compromised host:>ET TROJAN Likely Zbot Generic Post to gate.php Dotted-Quad

What I instantly noticed in the transcript is that this isn't the normal POST that I see from Zeus. What I had seen was a GET request with users Credit Card and Billing information in the Request Header. See Screenshot:

I've excluded the rest of the transcript, so as not to mention the site which is actually compromised at this time. However, I will say that it is very clear when looking at surrounding PCAPs from the source IP that the user was shopping for Building supplies. When looking at the websites Checkout page, I stumbled upon the following code:

Click to Enlarge

It would appear that the site has been compromised with injected code which scrapes the billing information that users enter into the checkout page.

Just as a side note the Direct IP address being utilized in this compromise has been associated with Fraudulent CC charges in the past, see 

If anyone has anymore information in this malicious code, please let me know. It seems to have some similar characteristics to evil-eval-magento.js which is also described Here.