Over 500 Magento Sites Hacked in Payment Skimmer Attack

Sansec researchers have urged website owners to stop using Magento 1 since Adobe stopped releasing security updates for the platform since June 2020.

E-commerce security firm Sansec has identified that hundreds of thousands of online stores running the Magento 1 e-commerce platform are being targeted by a canvas skimmer. The attack was noted late last months after their crawler identified around 374 infections in a single day. In all attacks, the same malware was used.

Campaign Details

According to Sansec, this attack stands out because the attackers used a combination of PHP object injection and SQL injection, which helped them control the Magento the shop. The attacks were launched through a single domain – the naturalfreshmall(.)com. domain, from which the credit card skimmer was loaded onto each of them. The domain is currently offline.

Sansec on Twitter

Sansec researchers believe that the purpose behind this campaign is to steal credit card details of customers from hacked online stores. Here it should be noted that Magento stores often fall victim to web skimmer attacks. In 2018over 1,000 Magento sites have been hacked with cryptominers and credential-stealing malware.

In September 2020an attack by researchers identified the “biggest ever attack against Magento stores” in which around 1,904 individual online stores were hacked due to the outdated Magento 1 platform.

Vulnerability exploited to gain access

In their blog post, Sansec researchers revealed that a vulnerability in the Ouickview plugin was used as an initial intrusion vector. Typically, attackers use the flaw to inject rogue admin users into vulnerable online stores using Magento; however, in this case, the vulnerability was abused to include a validation rule. This rule resulted in the addition of a document containing a backdoor to the database.

Validation rules for new customers have been used to initiate code execution simply by visiting the Magento registration page. To abuse the platform, attackers add a validation rule in the customer_eav_attribute table to trick the host application into creating a malicious object.

This object is then used to create a simple backdoor, and validation rules for new customers trigger the injection of the payload into the registration page. Besides injecting the credit card skimmer, hackers can use the backdoor to execute commands on a remote server, allowing them to take control of the entire site.

Stop using Magento 1

Sansec pointed out that Magento 1 has reached its end of life and that Adobe has stopped releasing security updates for the platform since June 2020, but a large majority of merchants still use it. The e-commerce security company recommends that store administrators keep their websites as secure as possible and verify all community-contributed patches for Magento 1.

Apparently, the attackers used around nineteen backdoors on the vulnerable system. This means that affected sites must remove all such backdoors to prevent further attacks. A list of files is published by Sansec researchers, which were either malicious or contained malicious code. Users are advised to run a malware scanner to identify these files.

More Card Skimmer news on Hackread.com

New credit card skimmers funnel funds via Telegram

New skimmer attack uses fake credit card forms to steal data

Bluetana app detects fuel pump card skimmers in 3 seconds

Visa warns of Baka JavaScript skimmer capable of evading detection

Cloud video platform abused in web skimmer attack on real estate sites

Comments are closed.