Over 500 Magento sites hacked in payment skimmer attack

Sansec researchers have urged website owners to stop using Magento 1 since Adobe has stopped releasing security updates for the platform since June 2020.

eCommerce security firm Sansec has identified that hundreds of thousands of online stores running the Magento 1 e-commerce platform were targeted with a web skimmer. The attack was noted late last months after their crawler identified around 374 infections on a single day. In all the attacks, the same malware was used.

Details of the Campaign

According to Sansec, this attack stands out because attackers have used a combination of PHP object injection and SQL injection, which helped them control the Magento store. The attacks were launched via a single domain- naturalfreshmall(.)com domain., from where the credit card skimmer was loaded on all of them. The domain is currently offline.

Sansec on Twitter

Sansec researchers believe that the objective behind this campaign is to steal the credit card details of customers of the hacked online stores. Here, it is worth noting that Magento stores are often under web skimmer attacks. In 2018, over 1,000 Magento sites were hacked with cryptominers and credential-stealing malware.

In September 2020, an attack researchers identified the “largest-ever attack against Magento stores” in which around 1,904 individual online stores were hacked due to the outdated Magento 1 platform.

Vulnerability Abused to Gain Access

In their blog post, Sansec researchers revealed that a vulnerability in the Ouickview plugin was used as the initial intrusion vector. Generally, attackers use the flaw to inject rogue admin users into vulnerable online stores using Magento; however, in this case, the vulnerability was abused to include a validation rule. This rule resulted in adding a document containing a backdoor to the database.

The validation rules for new customers were used to initiate code execution simply by visiting the Magento sign-up page. To abuse the platform, attackers add a validation rule into the customer_eav_attribute table to trick the host app into creating a malicious object.

This object is then used to create a simple backdoor, and validation rules for new customers trigger the payload to be injected into the sign-up page. Apart from injecting the credit card skimmer, the hackers may use the backdoor to execute commands on a remote server, letting them take control of the entire site.

Stop Using Magento 1

Sansec pointed out that Magento 1 has reached its end-of-life and that Adobe has stopped releasing security updates for the platform since June 2020, but a vast majority of merchants are still using it. The e-commerce security firm recommends that store admins ensure maximum security of their websites and check all community-provided patches for Magento 1.

Reportedly, the attackers used around nineteen backdoors on the vulnerable system. This means the affected sites must remove all these backdoors to prevent follow-up attacks. A list of files is released by Sansec researchers, which were either malicious or contained malicious code. Users are requested to run a malware scanner to identify these files.

More card skimmer news on Hackread.com

New credit card skimmers channel funds through Telegram

New skimmer attack uses fake credit card forms to steal data

Bluetana app detects gas pumps card skimmers within 3 seconds

Visa warns of Baka JavaScript skimmer capable of evading detection

Cloud video platform abused in web skimmer attack against real estate sites

Related Posts