Security Experts:

Connect with us

Hi, what are you looking for?



Magecart Hackers Now Targeting Vulnerable Magento Extensions

After compromising large websites or third-party services they use in order to steal credit card information, the Magecart hackers have now turned to vulnerable Magento extensions.

After compromising large websites or third-party services they use in order to steal credit card information, the Magecart hackers have now turned to vulnerable Magento extensions.

As part of the attack, the Magecart threat actors insert a small piece of JavaScript code onto the compromised website to steal all of the credit card and associated information that users enter there.

The hackers only inject their code after thorough reconnaissance, as the code in each attack is specifically tailored for the targeted site and blends in with the rest of the domain’s resources. The code is injected only into specific pages, to remain unnoticed but ensure efficiency.

Active for a couple of years, the hackers have only recently started targeting large platforms, including British Airways, Ticketmaster, Newegg, and cloud service provider Feedify, which has attracted a lot of attention. Last month, the operation hit Shopper Approved.

Now, security researcher Willem de Groot reveals that the attackers have switched to targeting unpublished vulnerabilities in popular store extension software.

The hackers seek to compromise websites through PHP Object Injection (POI) by abusing PHP’s unserialize() function. This provides them with the ability to modify the database or any JavaScript file, the researcher says.

Many popular PHP applications continue to use unserialize(), de Groot reveals. While Magento has replaced most of the vulnerable functions, many of its extensions did not.

“It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions,” the researcher, who published a list of the impacted extensions, explains.

Once a probe is successful, the malicious actors return to the impacted website and insert a JavaScript payment overlay customized for that site. The attack works on sites that have external or no credit card payments, because it inserts a fake credit card payment section.

As soon as the user enters their credit card data and submits it, the fake payment form disappears. The user is likely to try entering their information again, but the fake form is only showed once, because a cookie is set to ensure that. The code, de Groot reveals, uses a two-step payment exfiltration method.

Related: Magecart Attack Hits ‘Shopper Approved’

Related: Card Data-Scraping Magecart Code Found on Newegg

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...