Another massive wave of Magecart attacks was detected by Sansec last week. This attack, once again, highlights the vulnerability of e-commerce sites running outdated software.

Diving into details

  • More than 500 e-commerce sites running Magento 1 were breached via a single domain that loaded credit card skimmers.
  • Sansec’s crawler identified 374 infections on the same day, with the same malware.
  • The malicious domain was naturalfreshmall[.]com, which is offline now.
  • The threat actors aimed to pilfer credit card details of customers from the infected stores.

Modus operandi

  • The threat actors exploited a known bug in the Quickview plugin to inject corrupt Magento admin users to run code with the highest privilege.
  • Besides injecting the credit card skimmer, they used the api_1.php backdoor to execute commands on the remote server, essentially taking over entire control of the site.
  • In an extreme case, they injected 19 backdoors in a single online store.

Stop using Magento 1

  • Adobe hasn't supported Magento 1 since June 30, 2020.
  • Sites using the defunct platform are prone to a huge range of attacks, putting sensitive information at risk.
  • The goal of adversaries is to steal credit card details, names, phone numbers, shipping addresses, email addresses, and other details required to place an order online.

The bottom line

Last month, the Segway online store was compromised by the Magecart Group 12, signifying that any e-commerce store can fall prey to carefully calculated Magecart attacks. The attacks detailed in this article were only possible because the sites were still running a software that reached EOL in 2020. Hence, it is recommended to upgrade to the latest platforms and patch your systems regularly and check for unwanted intrusions.

Cyware Publisher

Publisher

Cyware