Magento Stores hit by a massive automated attack

September 26, 2020
magecart automated attack magento stores credit card skimming malware malicious scripts

A massive automated hacking campaign has hit and compromised almost 2000 online stores recently that is targeted towards Magento websites aiming to steal credit card information.   

To the banks that issue debit and credit cards, your customers who love to online shop in the middle of the pandemic is in deeper trouble than ever because the cybercriminals that utilize automated sniffing technics from vulnerable e-commerce stores got more active. 

Magento is an open-source e-commerce platform software written in PHP that was acquired by Adobe Inc last 2018. Its primary function is to assist business owners in setting up online stores to sell products and collect credit card payment information. Hence, it is always being targeted by hackers and threat actors by developing credit card skimming JavaScript to steal financial data.   

These kinds of cyber-attack are called MageCart, and the operators have posed large enough cyber threat leading VISA to issue an advisory to urge online stores and merchants to move forward using the more secure version Magento 2.    

Over the last week, a group of cybersecurity researchers discovered the automated credit card skimming campaign that affected over 1900 Magento stores for four days. The cyber-attack started with 10 infected stores on its first day involving a new kind of credit card skimming script. The attack began to build up with 1058 compromised online stores on the second day, another 603 hacked store were recorded the next day and 233 on the fourth and last day. With a total of 1904, the cybersecurity community considered this the largest automated Magento hacking incident monitored, with 1058 hacked store in a single day beating the 962 hacked store record that happened last July 2019.  


The Magento MageCart attack  

On further analysis of the discovered automated attack on Magento stores, most hacked stores were still using Magento 1, which had reached its End of Life since June 2020. Hence, product support and security updates are critical to prevent this kind of attack. Once a store is compromised, a PHP web shell called mysql.php will be installed by the attackers to grant administrative privileges and gain full access to a compromised account.   

During the investigation, it has been discovered by Digital Forensics that the attack used a US-based IP to interact with the Magento admin panel. Then utilized the Magento Connect feature to transfer various files for installation, including the backdoor script which automatically deletes itself after the malicious codes were injected to the prototype.js JavaScript file. When using this access, the attackers also loads malicious JavaScript codes within the directory when the store visitor goes to the checkout page. Upon payment information submission, the script collects the data and will then be sent to an external URL that is under the control of the attackers. 

How this kind of attack is conducted is still unknown. Still, it is believed that Magento is being attacked by a zero-day vulnerability exploit that is being sold on hacking forums within the Dark Web. A threat actor named z3r0day was found selling these vulnerabilities since mid-August this year, including the two recently patched flaws on Magento 1, which was sold for $5000. The sale was made to a total of 10 people. We advise that every Magento store be upgraded to Magento 2 for better protection and add another layer of malware solution, which prevents this kind of attack credit card skimming attack.  

About the author

Leave a Reply