According to a report by security vendor Sansec, more than 350 e-commerce sites running Magento 1 were hit by the same strain of MageCart malware the week of January 31, a card-skimming attack that exploited a known leak in the Quickview plug-in.
While the Quickview vulnerability “is typically abused to inject dishonest Magento admin users, in this case the attacker used the flaw to execute code directly on the server,” according to Sansec.
A total of 374 e-commerce sites fell victim to a payment skimmer loaded from the naturalfreshmall.com domain. “The attackers used a clever combination of an SQL Injection (SQLi) and PHP Object Injection (POI) attack to take control of the Magento store,” Sansec reported.
The hackers left 19 backdoors on the system, which could be used to regain control of a site if the malicious script was detected and the software updated. “It’s essential to eliminate each of them, because leaving one in place means that your system will be affected again next week,” the company advised.
A POI payload was used to trick the Magento host application into creating a malicious object, which was then inserted by exploiting validation rules for new customer registration. Once the hacker signed up, the malicious code was executed.
While Magento 1 was retired by parent company Adobe in June 2020 and is therefore no longer supported by updates and security patches, thousands of e-commerce sites are still running it. In addition to running malware monitors, Sansec advised companies to use community-provided open-source patches such as OpenMage or use commercial support through Mage-One.
To learn more about combating account takeover (ATO) threats posed by attacks via the dark web and the greater deep web, join us for a free multi-channel webinar for merchants this Thursday, February 17 at 2:00 p.m. EST. Led by a security professional from Sift, it is called “The Dark Web, Account Takeovers and You”.