Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Web Skimmer Injected Into Hundreds of Magento-Powered Stores

More than 500 online stores running the Magento 1 eCommerce platform were compromised with a digital skimmer, eCommerce security firm Sansec says.

More than 500 online stores running the Magento 1 eCommerce platform were compromised with a digital skimmer, eCommerce security firm Sansec says.

What made the attack stand out was the clever use of a combination of SQL injection and PHP object injection, which ultimately provided the attackers with control of the Magento store. On all infected websites, the payment skimmer was being loaded from the naturalfreshmall(.)com domain.

The initial intrusion vector was a known vulnerability in the Quickview plugin, which attackers typically use to inject rogue admin users into vulnerable Magento stores.

In this case, however, the weakness was abused to add a validation rule that resulted in a file containing a simple backdoor being added to the database. The validation rules for new customers would then be used to trigger the code execution by simply browsing the Magento sign up page.

According to Sansec, the attackers deployed no less than 19 backdoors on the compromised system, meaning that affected sites need to eliminate all of them to make sure they won’t fall victim to follow-up attacks.

[READ: Target Open Sources Web Skimmer Detection Tool]

Sansec has published a list of files that were found to either be entirely malicious or to contain malicious code, and advises potential victims to run a malware scanner to identify these files and other indicators of compromise.

The eCommerce security firm also points out that the Magento 1 platform has reached End-of-Life and that Adobe no longer provides security updates for it, even if thousands of merchants continue to use it.

Thus, store admins are advised to take all of the necessary measures to ensure the security of their sites, as well as to check any community-provided patches released for Magento 1 (the PHP object injection issue, for example, has a fix).

Related: Skimmer Injected Into 100 Real Estate Websites via Cloud Video Platform

Related: Adobe Warns of Critical Flaws in Magento, Connect

Related: Hundreds of Magento Stores Hacked Daily in Major Skimming Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.