A large-scale MageCart campaign compromised the private information of users in over 2,000 Magento stores, according to Sanguine Security (Sansec) researchers. The automated campaign affected tens of thousands of customers and is possibly the largest Magecart attack since 2015. The largest Magecart attack the firm recorded involved 962 stores.
The researchers noted that no admin account was required to execute the attacks. The Dutch cybersecurity firm said that the attackers executed the attack by gaining write access to the server through Magento 1.x zero-day vulnerabilities. The firm noted that an exploit kit was recently on sale in the dark web hacking forums by a user named z3r0day.
Outdated software vulnerabilities exposed Magento stores to attacks
Most of the affected Magento stores had not recorded any recent security incidents suggesting that the Magecart attack originated from the software used in building the stores. The Magento 1.x software stopped receiving updates since June 2020, thus exposing the sites to zero-day vulnerabilities found in the wild. Security experts suggested that the hackers discovered the vulnerabilities earlier but waited for the software to reach its end of life (EOL) to exploit the vulnerabilities.
The researchers also found a user named z3r0day, who was selling a Magento remote code execution exploit kit and an instruction video for $5,000. The hacker promised potential buyers that Adobe would not patch the software vulnerability because Magento 1.x had reached the end of life. Consequently, Magento e-commerce store owners had no means of protecting their stores from a Magecart attack.
Adobe issued an alert about a possible Magecart attack on sites running the deprecated Magento 1.x version of the software in November 2019. Similar concerns were echoed by MasterCard and Visa. Efforts by Adobe to convince Magento store owners to migrate from version 1.x to 2.x reduced the number of vulnerable stores from 240,000 to about 95,000. However, many Magento store owners are unaware of the software vulnerability and will likely continue running the outdated software.
Commenting on the Magecart attack on Magento stores, Paul Bischoff, a privacy advocate with Comparitech, says, “Hackers can easily scan for outdated versions of Magento and use automated bots to access them, upload shell scripts, and install the card skimming malware. Card skimming attacks are undetectable by end-users, so the responsibility falls on website operators to update their systems to the latest version of Magento. At this point, any website using Magento 1.x should be assumed compromised.”
Sansec researchers said that the profitability of web skimming was a contributing factor to the increase in such attacks. Consequently, outdated Magento stores will remain attractive targets for attackers wishing to steal personal, account, and financial data from online customers.
“These site skimming attacks will continue to grow in frequency as long as the bad actors of the world can continue to profit from them. This underscores the need for online merchants to ensure their online stores are running under the latest version of available software, which is likely hardened more against this type of attacks than outdated, obsolete software.”
Magecart attack indicators of compromise (IOC)
The threat intelligence firm says that the Magecart attack primarily affected stores running the Magento 1.x branch of the software. The researchers added that the attackers used IP addresses 220.127.116.11 (US) and 18.104.22.168 (OVH, FR) to interact with the Magento admin panel. They also used the “Magento Connect” feature to download and install various files, including a malware payload named “mysql.php.” The file was later automatically deleted after malicious code was added to prototype.js for Magento 1.x and jquery.js for Magento 2.x stores.
The attackers also added a skimmer loader that exfiltrated data from Magento stores to a website on https://imags.pw/502.jsp domain hosted in Moscow. The malicious site shared a network with mcdnn.net, the domain that hosted one of the malicious scripts, according to the Sansec researchers.
Sansec telemetry has identified 1904 Magento stores with keyloggers installed on the checkout pages. Over a period monitored by the firm, 10 Magento stores got infected on Friday, 1058 on Saturday, 603 on Sunday, and 233 on Monday. The pattern of infection shows that the vulnerability might have affected more stores than previously anticipated.