Magecart targets Magento extensions zero-day vulnerability to steal payment card information

• The attackers are exploiting the PHP unserialize function to insert malicious code into websites.
• Out of the 20 affected extensions, only two have been located by a researcher.

The prolific Magecart hacker group has been exploiting zero-day vulnerabilities, targeting around 20 unpatched Magento extensions in order to plant payment card skimmers on online stores. The attackers are exploiting the PHP unserialize() function to insert malicious code into websites.

Dutch security expert Willem de Groot tracked down the attacks leveraging the zero-day vulnerabilities but has only been able to identify two of the 20 extensions. The researcher has also reached out to the security community to help him locate the remaining vulnerable Magento extensions.

Identified vulnerable extensions

One of the extensions identified as vulnerable was the Webcooking_SimpleByndle Magento extension. However, the manufacturer issued a fix for the vulnerability as soon as de Groot reached out to the firm.

The second vulnerable extension was identified as TBT_Rewards, which was abandoned a few months back. De Groot said that this extension should be uninstalled from all stores due to the security risk it poses.

Same attack method used in 20 different places

This particular attack method used by the Magecart hackers is not new. The same method, PHP Object Injection (POI), was used on the Magento e-commerce platform and was assigned as the vulnerability CVE-2016-4010 identifier.

Later, the Magento team fixed the vulnerability by replacing the PHP unserialize() function with json_decode() in the SUPEE-8788 patch, which was released on October 2016.

De Groot said in atechnical report that, all the zero-days affecting the 20 extensions are practically the same but planted in 20 different places.

"While the extensions differ, the attack method is the same: PHP Object Injection (POI),” he added.

According to de Groot, many extension developers appear to have not taken the Magento extension attack seriously, choosing not to fix the vulnerabilities in their extensions. Many manufacturers still have the PHP unserialize() function enabled, exposing their Magento extensions to attacks once again.

Hacker group behind the attack

The Magecart group has conducted payment-card information-stealing attacks across the globe over the past three years. However, the magnitude of the attacks has risen to an alarming proportion. Major brands such as Ticketmaster, British Airways and Newegg were targeted by the group earlier this year.

Now, several other threat actors have also started using the attack method used by Magecart group. If the targeted online store does not handle card payments either internally or via external sites, victims are redirected to a fake checkout form created by the threat actors to steal the payment card information. These fake payment forms used by the hacker group also increase the effectiveness of the attack, researchers said.

“It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities,” de Groot said. “And they are now probing Magento stores in the wild for these extensions. I collected the following probes. If you are running any of them, you’d better disable them quickly and search your logs for unauthorized activity.”