The hack has been discovered by US security firm Sucuri, which says it's part of a wave of recent attacks in the wild by the same unnamed hacker group, and predict “we're in for a new trend of Magento-based credit card stealers”.
Sucuri senior malware researcher Peter Gramantik said in a 23 June blog that the latest attack exploits a previously unknown vulnerability in the Magento core or one of its widely used modules/extensions.
“Using this vector, the attacker is able to inject malicious code into the Magento core file,” he said.
This enables the hacker to intercept ‘POST' request from the infected website, giving them all the credit card billing details being sent to the site server.
Sucuri has found several variants on the attack and says “new ones may come soon”. But Gramantik said one constant across all the attacks is that the stolen data is encrypted using a ‘PUBLIC_KEY' defined by the attacker at the beginning of their malicious script.
“This indicates that it's likely the same author who created this whole family of credit card stealers,” he said.
The stolen data is saved in a fake JPEG or GIF image file and the attackers also modify the file's time stamp so it “looks like the file has not been touched for some time, making it less suspicious”.
Gramantik added that the malware has “a nice little purge function implemented for clearing the trails”.
Sucuri does not know how many sites have so far been infected, but research shows Magento is the most popular online retail platform worldwide, driving around a quarter of the top million e-commerce sites, including eBay, Nike and Mothercare.
The latest attack follows the discovery in April of a critical remote code execution flaw in Magento by Check Point Technologies, as reported by SC.
In response, Sucuri is urging merchants to protect their data through PCI compliance. It also warns that while the current attack targets Magento: “Realise that this can affect any platform that is used to support e-commerce. As the industry grows so will the specific attacks targeting the industry.”
Independent e-commerce security expert Sarb Sembhi agrees, and he is urging eBay and other platform providers to review their code before the wave of individual flaws lead to a serious breach.
Sembhi, a director of Storm Guidance and a leading light in the ISACA security professionals organisation, told SCMagazineUK.com: “With any platform, if you are exchanging any sort of financial data you need to be reviewing your code - because the chances are hackers have been. It's not like you can write it once and think ‘if it ain't broke, let's not fix it'. The longer you don't change things, the longer it's consistently the same for hackers to find some sort of vulnerability.
“Over the last two or three years, hackers have chipped away at the Magento platform, and that's been the pattern in the past, where lots of little chips eventually lead to a big gaping hole. Someone uses all the different bits of research to find the real flaw, and that's the danger. I'd predict something major happening in the next nine to 12 months unless they change their code base.”
Cyber-expert Matt Aldridge, solutions architect at Webroot, believes merchants can also help in the protection process.
He told SCMagazineUK.com via email: “It's a serious attack because there is no way for end users of e-commerce sites to know that they are at risk. That's worrying because this attack is targeting the payment details of these innocent users.
“Unfortunately, attacks of this type are on the rise and are becoming increasingly sophisticated. End users cannot really defend against these types of attacks until the payment card industry can enable one-off payment credentials for online use. Merchants must ensure that their systems and all the partner systems on which they are dependant are regularly audited and patched.”
But Aldridge added: “The quality and frequency of security patches varies depending on the maturity of the merchant and legislation surrounding them, and where there is dependency on third-party code, this may be beyond the merchant's ability to remediate.”
Christopher Bailey, CTO for behaviour analytics and biometrics firm NuDataSecurity, told SCMagazineUK.com via email: “E-commerce platforms such as Magento are a ripe target for fraudsters, and this example mirrors attacks seen in other channels.
“As the sophistication of such attacks continues to increase, it is critical that merchants maintain best practices in security and continuously monitor user behaviour to discover such anomalies in real time, and maintain up-to-date security patches as a critical part of their security strategy.”