Sansec researchers have urged website owners to stop using Magento 1 since Adobe has stopped releasing security updates for the platform since June 2020.
eCommerce security firm Sansec has identified that hundreds of thousands of online stores running the Magento 1 e-commerce platform were targeted with a web skimmer. The attack was noted late last months after their crawler identified around 374 infections on a single day. In all the attacks, the same malware was used.
Details of the Campaign
According to Sansec, this attack stands out because attackers have used a combination of PHP object injection and SQL injection, which helped them control the Magento store. The attacks were launched via a single domain- naturalfreshmall(.)com domain., from where the credit card skimmer was loaded on all of them. The domain is currently offline.
Sansec researchers believe that the objective behind this campaign is to steal the credit card details of customers of the hacked online stores. Here, it is worth noting that Magento stores are often under web skimmer attacks. In 2018, over 1,000 Magento sites were hacked with cryptominers and credential-stealing malware.
In September 2020, an attack researchers identified the “largest-ever attack against Magento stores” in which around 1,904 individual online stores were hacked due to the outdated Magento 1 platform.
Vulnerability Abused to Gain Access
In their blog post, Sansec researchers revealed that a vulnerability in the Ouickview plugin was used as the initial intrusion vector. Generally, attackers use the flaw to inject rogue admin users into vulnerable online stores using Magento; however, in this case, the vulnerability was abused to include a validation rule. This rule resulted in adding a document containing a backdoor to the database.
The validation rules for new customers were used to initiate code execution simply by visiting the Magento sign-up page. To abuse the platform, attackers add a validation rule into the customer_eav_attribute table to trick the host app into creating a malicious object.
This object is then used to create a simple backdoor, and validation rules for new customers trigger the payload to be injected into the sign-up page. Apart from injecting the credit card skimmer, the hackers may use the backdoor to execute commands on a remote server, letting them take control of the entire site.
Stop Using Magento 1
Sansec pointed out that Magento 1 has reached its end-of-life and that Adobe has stopped releasing security updates for the platform since June 2020, but a vast majority of merchants are still using it. The e-commerce security firm recommends that store admins ensure maximum security of their websites and check all community-provided patches for Magento 1.
Reportedly, the attackers used around nineteen backdoors on the vulnerable system. This means the affected sites must remove all these backdoors to prevent follow-up attacks. A list of files is released by Sansec researchers, which were either malicious or contained malicious code. Users are requested to run a malware scanner to identify these files.