1000+ Magento sites hacked with cryptominers & credential stealing malware

At least 1,000 Magento based websites including shops have been targeted and infected with this malware.

Threat analysis and cyber-security intelligence firm Flashpoint stated that cybercriminals have been targeting the open-source e-commerce platform Magento with malware since 2016. As a result, hundreds of e-commerce websites running via Magento have already been compromised by hackers to steal credit card numbers and install cryptocurrency miners.

Magento has two versions one of which is open source while the other is a curated enterprise version. As is the norm with successful open source products, the enterprise version offers access to support and is exclusively maintained by Magento.

Websites run on Magento platform are compromised via brute-forcing. Hackers use common and already known credentials to compromise the website. According to Flashpoint’s findings, nearly 1,000 admin panels from Magento have been compromised so far. A majority of compromised Magento panels belong to firms in the education and healthcare sector while maximum targets were identified in the US and Europe.

Flashpoint researchers wrote that attacks that are launched using brute-force method are successful only when administrators fail to change the credentials after installing the platform. Hackers can easily create automated scripts using known credentials for facilitating panel access.

After gaining control of the site’s CMS admin panel, attackers can add any script of their choice. It must be noted that hackers are also targeting other e-commerce processing CMS (content management systems) like Powerfront and OpenCarts too.

More: BlackBerry’s Magento based mobile site hacked to mine Monero

Flashpoint identified that hackers inject malicious code into the core file to get access to payment data processing pages and post requests to the server containing sensitive data. When the compromised website is visited, the visitors get subjected to malware attacks. The site asks the visitor to update Adobe Flash Player software and when the user clicks on the provided link, malware is launched from servers. These infected servers are hosted on sites like GitHub.

Different malware is involved in this campaign; the first downloaded piece is the AZORult data-stealing software, which downloads other malware as well as the cryptominer. Data is then intercepted and transmitted to the hacker.

A similar method is used to install cryptominer. Attackers are looking to mine Rarog cryptocurrency in this particular campaign. It is also identified that the exploitation of Magento admin panels has continued on entry-level and at higher levels on Deep & Dark Web forums since 2016.

An interesting aspect is that attackers are updating the malicious files on a daily basis to evade detection. This daily updating makes it difficult for security software firms to detect the threat because frequent signature changes cannot be caught immediately.

Magento websites hacked with cryptominers & credential stealing malware
Anatomy of the attack (Credit: Flashpoint)

Furthermore, GitHub is also helping attackers in avoiding detection as they can download and store new code easily. When an organization uploads the White List of safe sides, GitHub is bound to make an appearance. This allows malware downloads to evade blocking. Perhaps this is why attackers prefer to host their malicious codes on GitHub.

Flashpoint has collaborated with law enforcement to inform victims of the breaches but it is suspected that the scope of the attack is pretty vast while researchers have managed to detect just a fraction of total compromised websites. Most of these sites got hacked by exploiting standard security loopholes.

Therefore, researchers have advised Magento admins to immediately revise CMS account credentials to mitigate brute-force attack threat. It is very important to replace old, weak passwords with new stronger ones as well as to enforce 2FA authentication. Also, Magento employees should be provided with secure password managers while users should be barred from recycling old and used passwords.

More: Hackers are using YouTube Ads to Mine Monero Cryptocurrency

When asked whether Magento will be releasing a security update to prevent or thwart brute-force attacks, the company didn’t immediately respond and we are yet to receive an official word from them.

Update:

Magento has now addressed the issue and released a statement according to which “Up to 1,000 open-source accounts were affected by brute force attacks, a form of fraud where cybercriminals take advantage of weak passwords to steal information and distribute malware. This is not a new threat, as there have been previously reported variants that have impacted other vendor systems,” the statement said.

“All accounts identified were on Magento Open Source (formerly Community Edition), and we have communicated to users how to take immediate action and employ preventive measures. We continue to be fully committed to ensuring the security of our merchants and their customers, encouraging all of our merchants to stay up-to-date on security patches and recommended security best practices, as well as perform malware tests on sites with the Magento Security Scan Tool accessed in their Magento account.”

Image credit: Depositphotos

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.