Sansec researchers discovered a Magecart campaign affecting over 500 e-commerce sites, with most stores infected in a day. The campaign targeted online stores running Magento CMS outdated versions with a vulnerable plugin.
The researchers said the attackers modified existing Magento files by adding malicious code and/or inserted new scripts on the affected websites. In one incident, they created “no fewer than 19 backdoors” on a single domain likely to test the method that works best.
The redundancy also ensured that Magecart attackers retained control over the infected websites after the malicious scripts were detected, removed, and the vulnerable software updated.
Magecart is a collective term for various credit card skimmers and groups using malicious scripts to steal payment card information. The groups also steal customers’ personal information such as phone numbers, email addresses, and shipping information.
The researchers said the Natural Fresh skimmer shows a fake payment popup defeating the security of a PCI-compliant hosted payment form.
They observed that the credit card skimmer sent exfiltrated credit card data to https://naturalfreshmall.com/payment/payment.php, the now-defunct domain that also hosted the malicious scripts. The campaign peaked in a single day, with at least 374 e-commerce sites infected by the MageCart variant in 24 hours.
According to the researchers, the targeted e-commerce sites run Adobe’s Magento 1 open-source content management system (CMS) that reached its end-of-life (EOL) on June 30, 2020. Despite Sansec’s discovery, the end-of-life version is unlikely to receive any updates. Consequently, online store owners must use alternative means like hiring third-party experts and using open-source and commercial tools like OpenMage to secure their e-commerce sites.
“Running an e-commerce website on an outdated and unpatched platform is like driving your car without your seat belt on,” said Ron Bradley, VP at Shared Assessments. “The driver is thinking, the store is right around the corner, by the time I put on my seat belt, I’ll be there, plus I don’t want to wrinkle my clothes. Then comes the crash!”
Bradley questioned how Magento and other e-commerce platforms with a long history of vulnerabilities passed PCI audits without identifying the issue.
“This is a prime example of why it’s so important to vet both your downstream and upstream partners as part of any good third-party risk management program,” Bradley added. “Ask the tough questions about patch management and vulnerability management. Insist on getting documentation to support vendor claims. Tell them to buckle up for everyone’s safety!”
Magecart attackers leveraged SQL injection and PHP object injection to compromise e-commerce websites
The researchers suggested that the attackers targeted a known vulnerability in the Quickview plugin to create administrator accounts on compromised websites.
Sansec reached out to the affected website owners and determined that the attackers combined SQL injection (SQLi) vulnerability and PHP Object Injection (POI) attacks to compromise vulnerable e-commerce sites. They leveraged the Quickview plugin vulnerability to add a validation rule to the ‘customer_eav_attribute’ table and used the POI payload to trigger the application to create a malicious object.
Additionally, they utilized the ‘Zend_Memory_Manager’ and ‘Zend_CodeGenerator_Php_File’ components to create a file named ‘api_1.php’ a simple backdoor ‘eval($_POST[‘z’])’. An attacker could use this backdoor to run any PHP code on the compromised e-commerce sites.
“However, just adding it to the database will not run the code,” they wrote. “Magento actually needs to unserialize the data. And there is the cleverness of this attack: By using the validation rules for new customers, the attacker can trigger an unserialize by simply browsing the Magento signup page.”
The attackers added the actual credit card skimmer to the ‘core_config_data’ table in the design/footer/absolute_footer section, according to the researchers.
They published a list of indicators of compromise (IoC), including the directory structure and a list of affected IP addresses.
Cleaning up Magecart on infected e-commerce sites
Sansec researchers advised owners of vulnerable e-commerce sites to remove every malicious script to prevent subsequent attacks after cleanup.
“No less than 19 (!) backdoors were injected in one case of the NaturalFreshMall Magento mass hack,” Sansec tweeted. “Make sure to scrub your system and kill them all, or you will find yourself back to zero soon.”
Updating to a newer Magento version is unlikely to remove the Magecart infection since the Magecart attackers introduced multiple persistence methods.
However, website owners should migrate to newer and supported versions to protect their e-commerce sites from MageCart attacks leveraging unpatched vulnerabilities in the Magento EOL version.
“Magecart attackers are always looking for ways to avoid detection in their quest to steal the credit card information of customers,” said Kunal Modasiya, Senior Director of Product Management at PerimeterX.
Modasiya suggested that e-commerce companies should sign up to receive real-time alert notifications on payment card data leaks, “They should also quickly isolate any third-party library changes that have caused the incident, and quickly mitigate the risk by removing or updating the third party library and block the PCI incident to prevent further PCI data leaks.”