Connect with us

Hi, what are you looking for?


Application Security

Hacked Magento Sites Steal Card Data, Spread Malware

Cybercriminals are targeting websites running the Magento platform to inject them with code that can steal credit card data and infect visitors with malware, Flashpoint reports.

Cybercriminals are targeting websites running the Magento platform to inject them with code that can steal credit card data and infect visitors with malware, Flashpoint reports.

The open-source platform written in PHP has long stirred threat actors’ interest due to its popularity among online e-commerce sites. According to Flashpoint, members of entry-level and top-tier Deep & Dark Web forums have shown continued interest in the platform since 2016, and also targeted content management systems such as Powerfront CMS and OpenCart.

As part of the newly observed attacks, hackers are attempting to brute-force Magento administration panels. Once they gain access, malware capable of scraping credit card numbers is installed, along with crypto-currency miners.

At least 1,000 Magento admin panels have been compromised, Flashpoint says. The attackers attempt to log in using common and known default Magento credentials, once again proving that changing the credentials upon installation of the platform can prevent compromise.

After gaining control of the site’s Magento CMS admin panel, the attackers have unfettered access to the site and can inject any script they want. In this case, they injected malicious code in the Magento core file to access pages where payment data was processed. Because of that, they could intercept POST requests to the server containing sensitive data and redirect those to the attacker.

The compromised sites also revealed the use of an exploit masquerading as an Adobe Flash Player update. If launched, the fake update would run malicious JavaScript to download data-stealing malware called AZORult from GitHub. The malware then downloads the Rarog cryptocurrency miner.

The accounts hosting the malicious files have been active since 2017 and the security researchers observed that the attackers would update the files daily to avoid detection by signature- and behavior-based tools.

Advertisement. Scroll to continue reading.

Most of the 1,000 compromised panels are in the education and healthcare industries in the United States and Europe. However, the researchers believe that the compromised sites they are aware of might be part of a larger sample of infected Magento panels.

To keep their sites and users protected, Magento admins are advised to review CMS account logins and enforce strong password-hygiene practices to mitigate their exposure to brute-force attacks. They should restrict the recycling of previously used passwords, enable two-factor authentication for sensitive systems and applications, and provide secure password managers to their users.

“The rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords,” Flashpoint notes.

Weak credentials in Internet of Things (IoT) devices have been long said to fuel botnets, but others where a good password hygiene isn’t enforced are as exposed as these devices. Even industrial control system (ICS) products contain default credentials and could be impacted.

Related: Compromised Credentials: The Primary Point of Attack for Data Breaches

Related: Cameras Top Source of IoT Attacks: Kaspersky

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.