Malware campaign infects thousands of Magento e-commerce sites

News by Bradley Barth

Over the last six months, a recently discovered, highly prolific payment card-scraping campaign managed to infect more than 7,000 online stores running on the open-source Magento e-commerce software platform.

Over the last six months, a recently discovered, highly prolific payment card-scraping campaign managed to infect more than 7,000 online stores running on the open-source Magento e-commerce software platform.

In an 30 August blog post, Dutch security researcher Willem de Groot reported that the operation involved online payment skimming malware called MagentoCore. Of the 7,339 e-shops found to be impacted, at least 1,450 of them were infected for the entire half-year period the threat has existed.

De Groot further explained that MagentoCore skimmers "gain illicit access to the control panel of an e-commerce site, often with brute force techniques," then embed Javascript into the HTML template. The malicious script records keystrokes and "sends everything in real-time to the magentocore.net server, registered in Moscow."

Additionally, the malware also inserts a backdoor for periodic downloads, removes competing malware, and changes the passwords of common staff user names.

In the two weeks preceding the post, the attackers were infecting websites at a clip of 50 to 60 stores per day, according to de Groot.
Through a company spokesperson, Magento, a division of Adobe Sysmtes, issued a statement placing the number of affected websites at closer to 5,000. "Our security team has found that around 5,000 Magento Open Source users were affected by brute force attacks, in which MagentoCore malware planted skimmers on sites," the spokesperson told SC Media. "One of the most common ways a site can be compromised is by brute force attacks, which work by exploiting common or default passwords. There is no evidence that any Magento Enterprise customers were impacted."

"Nearly all of the sites we've identified as being infected with the MagentoCore malware signature are missing patches and/or running on an outdated version," the statement continued.

"Magento is an open-source platform and for this reason is also a favorite target of bad actors. This latest attack was likely carried out through password guessing and exploited vulnerabilities in Magento servers..." said Devon Merchant, digital security and operations manager at The Media Trust, in emailed comments. "The vulnerabilities might lie in the web application source code, enabling bad actors to manipulate the code and inject rogue script into the HTML template. The script then logs keystrokes and sends them to a command-and-control server."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews