Over 3000 Magento shops have been hacked via insecure extensions in the last 3 months

• Attackers use an extension bug to download other extensions and later search for zero-day security issues.
• Failing to keep the extensions up-to-date is one of the main cause for the rise in such attacks.

In the latest research, it has been found that Magento shops can be targeted by leveraging vulnerable third-party extensions or modules. The attackers can abuse these weak third-party extensions to perform a global scan and find vulnerable victims.

Attack process

According to security researcher and Magento forensic investigator William de Groot, attackers use an extension bug to download other extensions and later search for zero-day security issues such as POI (PHP Object Injection), SQL injection and Cross-Site Scripting flaws.

“The method is straightforward: attacker uses an extension bug to hack into a Magento store. Once in, they download all of the other installed extensions. The attacker then searches the downloaded code for 0day security issues, such as POI, SQLi and XSS flaws. Once found, the attacker launches a global scan to find vulnerable victims. Rinse and repeat,” said Groot in a blog post.

The researcher, who has been monitoring and documenting card-skimming activities on Magento shops, estimates that over 3000 stores have been due to insecure extensions in the last 3 months.

Failing to keep the extensions up-to-date is one of the main cause for the rise in such attacks.

“Many extension releases are backward incompatible, which requires costly developer hours. There is no standardized way to get notified of critical releases. And most important: merchants value stability above all, which does not fit well with a continuous upgrade policy,” he noted.

Solution

William De Groot has compiled a list of vulnerable Magento extensions. Online merchants can scan their sites against the repository using Magerun module or a single-line command. Both the processes require access to the server. As a result of the scan, the merchants can figure out:

• The name of the vulnerable modules
• The latest version of extensions
• Part of the URL that attackers use to exploit each module
• Name of the URLs which are under attack
• The URL with upgrade instructions.

Groot claims that most of the vulnerable extensions are discovered on Magento 1 installations.