Magecart hackers launched largest ever attack against Magento stores

Around 1,904 individual online stores were hacked due to the outdated Magento 1 platform. Here’s what happened.

Around 1,904 individual online stores were hacked due to the outdated Magento 1 platform.

This weekend, the Magecart hackers managed to compromise 1,904 online stores in what seems to be the most extensive automated hacking campaign from the gang researchers have ever detected.

According to the Dutch cybersecurity firm Sanguine Security (SanSec), all the targeted online stores were using outdated Magento 1 e-commerce platform. Around ten stores were attacked on Friday, 11 Sep, 1,058 stores on Saturday, 603 on Sunday, and 233 on Monday.

See: 1000+ Magento sites hacked with crypto-miners & credential-stealing malware

Magecart hackers used their typical techniques to compromise such a large number of sites. They breached the sites’ security to insert malicious scripts within the site’s source code, especially the code that logged payment card data that facilitates the checkout process for shoppers.

The stores were hit with a web skimming campaign over the weekend, and only those stores that were still using the Magento 1 platform were targeted.

It is worth noting that this version entered its end-of-life phase on 30 June 2019 and didn’t receive any new security updates for the past 12 months. A majority of the compromised stores were running on the 1.x version of Magento online store software.

Magecart hackers launched largest ever web skimming attack against Magento e-stores
A hacker selling zero-day exploit of the same vulnerability on a Russian hacking forum (Image: Sansec)

Adobe, the company that owns of Magento, issued an alert as early as November 2019, urging store owners to upgrade to the 2.x version. However, still, 95,000 sites are using the old version.

Most of the targeted stores don’t have any history of security breaches, suggesting that a new attack method was utilized to access their servers. Though SanSec hasn’t yet identified the infiltration method, the company suspects that hackers used a Magento 1 zero-day exploit, which was up for sale a few weeks back for $5,000.

The RCE (remote code execution) exploitation method contained an instructional video and could have proven more potent on the outdated Magento 1 platform.

Forensic analysis of two compromised servers revealed that hackers interacted with the Magento admin panel, and to download and install malware and other files, they used the Magento Connect feature. After the malicious code was planted, the malware file got delete automatically.

SanSec’s threat analysis team suggests that the incident reflects the profitability of web skimming. Cybercriminals are preferring to launch automated hacking schemes on online stores much aggressively nowadays.

SanSec’s revealed that since 2015, this is the largest hacking campaign by Magecart against online stores.

“The previous record was 962 hacked stores in a single day in July last year,” SanSec stated.

Hackers managed to steal the private data of tens of thousands of customers on just one of the compromised sites, which indicates the sheer vastness of the scale of devastation this campaign has caused.

Magecart is the same group that previously targeted commercial bigwigs like British Airways, Newegg, and Ticketmaster in 2018.

SanSec has provided the list of compromised stores to law enforcement but chose not to disclose it publicly.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts