2,000 Magento Stores Hacked in one Weekend

While ransomware continues to dominate international headlines the recent hack involving nearly 2,000 Magento stores reminds all involved that magecart styled attacks are indeed still a thing. In a magecart style attack, the attacker compromises an online shopping cart, generally, with only a few lines of code, that is able to swipe the card details entered by a customer. These are then sent to a command-and-control server owned by the attacker and then sold on the Dark Web or used to purchase items fraudulently by mules working for criminal organizations. Further, as is the case in this instance, payments can also be sent to accounts under the control of the hacker.

According to Sansec, a security firm specializing in magecart attacks, the 2,000 stores were hacked over the weekend by an automated attack. In a report detailing the incident, it was found that the attack targeted stores still using the no longer supported Magento version 1, which was announced by Adobe, the owners and distributors of the platform, last year June. Sansec discovered that 1,904 stores were infected with a unique keylogger which was stealing card data via the checkout pages used by the online stores. The security firm discovered 10 infected stores on Friday, this number skyrocketed to 1,058 on Saturday. Sunday and Monday saw a decline in infections, with 603 and 233 respectively.

The hack presents the largest of its kind targeting Magento, at least since Sansec began tracking this particular style of attack. The previous record being set at 962 which occurred in June 2019. Sansec believes that the sudden spike in numbers is a result of hackers being attracted to the potential profits magecart web skimming can accrue.

2k magento stores hacked over the weekend

To further increase the profit potential, hackers have been looking to automate attacks to infect the highest number of stores possible. As to the number of customers who have had their credit card details, as well as other personally identifiable information, stolen it is hard to put an exact number to the butcher’s bill. However, Sansec estimates tens of thousands of individuals have been affected by a hack lasting only a weekend.

Exploit sold for 5,000 USD

As to how so many stores were hacked only a few details have emerged. Most of the stores that were compromised had no history of prior security incidents. This could mean that an entirely new attack method was used to gain access to the servers used by the stores. Not only did the new attack method grant access to data but also granted the attacker to write new code to the checkout pages of those stores affected. There is a strong case to be made that a yet unknown exploit was used and likely bought from an underground hacker forum. Sansec notes,

“While we are still investigating the exact vector, this campaign may be related to a recent Magento 1 0day (exploit) that was put up for sale a few weeks ago. User z3r0day announced on a hacking forum to sell a Magento 1 “remote code execution” exploit method, including instruction video, for $5000. Allegedly, no prior Magento admin account is required. Seller z3r0day stressed that - because Magento 1 is End-Of-Life - no official patches will be provided by Adobe to fix this bug, which renders this exploit extra damaging to store owners using the legacy platform. To sweeten the deal, z3r0day pledged to only sell 10 copies of the dangerous exploit.”

While the exact details of how the attack occurred forensic analysis have uncovered a few vital bits of information. The attacker used the IPs (US) and (OVH, FR) to interact with the Magento admin panel and used the “Magento Connect” feature to download and install various files, including a malware called mysql.php. Once the download and install were complete the malicious file would be deleted automatically once it was added to the prototype.js file used by Magento.

Researchers noted that web server logs indicate that numerous attempts were made to install files over the weekend, possibly to install improved versions of the skimmer. The skimmer is also added to the prototype.js file and is executed when only when the checkout page is referenced. The attack not only steals credit card details but is further capable of redirecting payments. Researchers discovered that payments are being exfiltrated to a Moscow-hosted site at hxxps://imags.pw/502.jsp which is on the same network where the keylogger is being stored.

Time to move on from Magento 1

Version 1 of Magento was officially labeled End-of-Life in June 2020, since then no updates have been provided by Adobe as is typical of End-of-Life products. This event did not come out of the blue, customers were notified in September 2018 that this would be the case and customers were to migrate to version 2. When the announcement that version 1 would no longer be supported was made it was estimated that 270,000 stores were running version 1. Towards the end of 2019, this number decreased slightly to anywhere between 200,000 and 240,000. Adobe pushed the End-of-Life date twice, possibly due to the slow migration of customers to version 2.

By the end of June, the numbers looked a lot better at approximately 110,000. However, one considers that over a hundred thousand stores may be vulnerable to exploitation and the current going rate for card details is 12 USD to 20 USD on average the entire attack surface is highly tempting. That just considers the selling of card details and personal information, not the potential profit from redirected payments.

Of those over a hundred thousand stores that were vulnerable to attack by June of this year, it can be assumed some are closed or experience low traffic volumes which would mean they would not be worth a hacker’s time. That being said the potential profit up for grabs is clear to see. For cybercriminal organizations, the profit often outweighs the risk of being caught but for those that are highly organized and that make use of mules the risk of being caught plummets significantly. It was only in 2020 that the first arrests associated with magecart attacks were made in Indonesia. Those arrested were believed to fill the role of a mule, using the stolen details to make fraudulent purchases for a split of the profits. As magecart attacks can rarely be prevented by the end-user or customer, the following preventative advice was given at the time of the arrests,

“To avoid big financial losses due to JS-sniffers [magecart style attacks], it’s recommended for online users to have a separate pre-paid card for online payments, set spending limits on cards, used for online shopping, or even use a separate bank account exclusively for online purchases. Online merchants, in their turn, need to keep their software updated and carry out regular cybersecurity assessments of their websites.”

Given the slow rate of migration to version 2, both MasterCard and Visa issued alerts, with Visa taking the stronger tone of the two. Visa warned that if online shop owners did not migrate they could be found to be PCI DSS non-compliant. Been declared none complaint with the PCI DSS standard, which governs how card data is handled by merchants and financial institutions, can be devastating as they could become directly liable for the damages they cause to their customers.

While MasterCard’s tone may have been lighter, the ramifications of its alert were not saying that 77% of the companies investigated in web skimming incidents were not in compliance with PCI DSS requirement 6, the rule that requires store owners to run up-to-date systems. Non-compliance with the standard has several other negatives for online store owners including monthly penalties which can range from 5,000 USD to 100,000 USD depending on the category of the business. That is not all, if an incident occurs that is regarded as a data breach and deemed non-compliant the following penalties can be meted out:

  • Fines of between 50 USD and 90 USD per cardholder whose information was endangered
  • Termination of the relationship between the company and the payment processor
  • The incident opens the possibility for customers to level civil suites at the business.

If you are using Magento version 1 it might be the right time to migrate, especially now that an unknown exploit being used will not be patched.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal