More than 500 online stores running the Magento 1 e-commerce platform have been compromised by a digital skimmer, e-commerce security firm Sansec has said.
What made the attack stand out was the clever use of a combination of SQL injection and PHP object injection, which ultimately provided the attackers with control of the Magento store. On all infected websites, the payment skimmer was loaded from the naturalfreshall(.)com domain.
The initial intrusion vector was a known vulnerability in the Quickview plugin, which attackers typically use to inject malicious admin users into vulnerable Magento stores.
In this case, however, the weakness was abused to add a validation rule which resulted in a file containing a simple backdoor being added to the database. New customer validation rules would then be used to trigger code execution by simply browsing the Magento registration page.
According to Sansec, the attackers deployed no less than 19 backdoors on the compromised system, which means that the affected sites must eliminate them all to ensure that they do not fall victim to further attacks.
[READ: Target Open Sources Web Skimmer Detection Tool]
Sansec has published a list of files that have been found to be either fully malicious or contain malicious code, and advises potential victims to run a malware scanner to identify these files and other indicators of compromise.
The eCommerce security firm also points out that the Magento 1 platform has reached its end of life and that Adobe no longer provides security updates for it, even though thousands of merchants continue to use it.
Thus, store admins are advised to take all necessary measures to keep their sites secure, as well as check for community-provided fixes for Magento 1 (the PHP object injection issue, for example, has a fix).
Related: Skimmer injected into 100 real estate websites via cloud video platform
Related: Adobe warns of critical flaws in Magento, Connect
Related: Hundreds of Magento Stores Hacked Daily in Major Skimming Campaign