Analysts have found the source of a massive breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on each of them.
According to Sansec, the attack became evident late last month when their crawler discovered 374 infections on the same day, all using the same malware.
The domain from which the threat actors loaded the malware is naturalfreshmall[.]com, which is currently offline, and the threat actors’ aim was to steal customers’ credit card information from targeted online stores.
Sansec’s subsequent investigation revealed that the attackers had abused a known vulnerability in the Quickview plugin to inject rogue Magento administrator users who could then run code with the highest privileges.
The abuse occurs via the addition of a validation rule in the
customer_eav_attribute chart. This tricks the host application into creating a malicious object, which is then used to create a simple backdoor (api_1.php).
Validation rules for new customers are the smart part of the attack, as this triggers the injection of the payload into the registration page.
Besides injecting the credit card skimmer, hackers can also use the api_1.php backdoor to execute commands on the remote server, leading to a full site takeover.
In practice, however, siphoning off payment details using MageCart attacks (skimmers) is more beneficial for threat actors; that is why this particular wave of attacks has focused on precisely that.
Sansec points out that in an extreme case, adversaries injected up to 19 backdoors into a single e-commerce platform, possibly experimenting to determine what works best for their objective or just being very serious about its redundancy.
No less than 19 (!) backdoors were injected into a case of NaturalFreshMall Magento mass hack.
Make sure to clean your system and kill them all, or you’ll soon find yourself back to zero.
See our analysis at https://t.co/zsrqcaCNc2
— Sansec (@sansecio) February 9, 2022
Magento 1 is still used
Adobe stopped supporting the popular e-commerce platform’s Magento 1 branch on June 30, 2020, but thousands of sites are still using the outdated software.
This makes sites vulnerable to a wide range of hacker attacks and, by extension, puts their customers’ sensitive data at risk.
These details typically include credit card numbers, shipping addresses, names, phone numbers, email addresses, and generally anything else needed to place an order online.
It is strongly recommended that all Magento admins confirm that they are using the latest version of the platform and upgrade if they are using older unsupported versions.