2000 Magento Stores Hacked In The Largest Magecart Campaign

Blog

Connect, Educate, Learn, Collaborate...

21Sep
2020

Not to Say We Told You So… 2000 Magento Stores Hacked In The Largest-Ever Magecart Campaign

Sites still using the Magento 1 platform just got a serious wakeup call.

Sansec recently reported the news that hundreds of Magento Stores were hacked last weekend. The early breach detection system by Sansec that monitors the e-commerce spaces for security threats detected 1904 Magento stores having a keylogger (skimmer) on their checkout pages.

The attackers targeted the stores with Magecart skimmer to steal the card details of customers. It’s estimated that the private info of tens of thousands of customers was stolen via one of the compromised stores.

Cause of Attack?

This automated campaign is the largest ever Magecart attack since Sansec started monitoring in 2015. A typical Magecart attack where the injected malicious code would breach, intercept, and log the payment information of store customers. From 10 infected stores, the trouble spread faster than a California wildfire.

Sansec found the following data during its monitoring phase:

  • 10 stores got infected on Friday (11th September)
  • 1058 on Saturday (12th September)
  • 602 on Sunday ((13th September), and
  • 233 on Monday (14th September).

The massive scope of this hack shows the increased finesse and profitability of web skimming. More criminals are automating their operations for pushing web skimming schemes on as many stores as possible.

No History of Breaches

According to Sansec, many of the victimized stores didn’t have any history of security incidents, which suggests that a new method of attack was used to gain server (write) access to all these compromised stores.

The inspected stores were found running Magento version 1, which was reached its End-of-Life on June 30, 2020. It didn’t take long for the Black Hats to sneak into sites that left the doors unlocked.

Magento 1 Zero-day Vulnerability

While Sansec is still investigating the exact vector, the campaign may be related to the recent Magento 1 zero-day (exploit), which was put up for sale a few weeks ago on a hacking forum. A user, “z3r0day” (username) announced to sell Magento 1 “remote code execution” exploit method with an instruction video for $5,000.

To sweeten the deal, he pledged to sell only 10 copies of the exploit and also stated that no admin rights are required to inject this code in the JS file! Hey, he was only looking to make $50k to let hackers rob customers blind.

Nice guy, right?

What made Magento Stores Vulnerable?

The inspection by Sansec reveals that the hacked stores were still operating on Magento version 1. Magento ended support for the Magento 1.x platform, no bug fixes or updates on security patches after June 30, 2020.

Customers Had an Early Heads-Up…Really Early

After the release of Magento 2 in November 2015, Magento committed to a time of 36 months and then extended it 55 months to offer support to Magento 1.x store owners. Magento urged merchants to migrate to Magento 2 platform before the end of support.

Visa and PayPal also warned Magento 1 stores to migrate to Magento 2 or any other e-commerce platform before Magento cut off any security patches or bug fixes.

It’s high time for merchants running their e-commerce stores on the Magento 1.x platform to make the switch. Don’t join the list of stores that leave their customers open to fraud! Migrate your Magento store before it’s compromised.

Mike Patel
Mike Patel

Archive