After compromising large websites or third-party services they use in order to steal credit card information, the Magecart hackers have now turned to vulnerable Magento extensions.
As part of the attack, the Magecart threat actors insert a small piece of JavaScript code onto the compromised website to steal all of the credit card and associated information that users enter there.
The hackers only inject their code after thorough reconnaissance, as the code in each attack is specifically tailored for the targeted site and blends in with the rest of the domain’s resources. The code is injected only into specific pages, to remain unnoticed but ensure efficiency.
Active for a couple of years, the hackers have only recently started targeting large platforms, including British Airways, Ticketmaster, Newegg, and cloud service provider Feedify, which has attracted a lot of attention. Last month, the operation hit Shopper Approved.
Now, security researcher Willem de Groot reveals that the attackers have switched to targeting unpublished vulnerabilities in popular store extension software.
The hackers seek to compromise websites through PHP Object Injection (POI) by abusing PHP’s unserialize() function. This provides them with the ability to modify the database or any JavaScript file, the researcher says.
Many popular PHP applications continue to use unserialize(), de Groot reveals. While Magento has replaced most of the vulnerable functions, many of its extensions did not.
“It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions,” the researcher, who published a list of the impacted extensions, explains.
Once a probe is successful, the malicious actors return to the impacted website and insert a JavaScript payment overlay customized for that site. The attack works on sites that have external or no credit card payments, because it inserts a fake credit card payment section.
As soon as the user enters their credit card data and submits it, the fake payment form disappears. The user is likely to try entering their information again, but the fake form is only showed once, because a cookie is set to ensure that. The code, de Groot reveals, uses a two-step payment exfiltration method.
