More than 500 online stores running the Magento 1 eCommerce platform were compromised with a digital skimmer, eCommerce security firm Sansec says.
What made the attack stand out was the clever use of a combination of SQL injection and PHP object injection, which ultimately provided the attackers with control of the Magento store. On all infected websites, the payment skimmer was being loaded from the naturalfreshmall(.)com domain.
The initial intrusion vector was a known vulnerability in the Quickview plugin, which attackers typically use to inject rogue admin users into vulnerable Magento stores.
In this case, however, the weakness was abused to add a validation rule that resulted in a file containing a simple backdoor being added to the database. The validation rules for new customers would then be used to trigger the code execution by simply browsing the Magento sign up page.
According to Sansec, the attackers deployed no less than 19 backdoors on the compromised system, meaning that affected sites need to eliminate all of them to make sure they won’t fall victim to follow-up attacks.
[READ: Target Open Sources Web Skimmer Detection Tool]
Sansec has published a list of files that were found to either be entirely malicious or to contain malicious code, and advises potential victims to run a malware scanner to identify these files and other indicators of compromise.
The eCommerce security firm also points out that the Magento 1 platform has reached End-of-Life and that Adobe no longer provides security updates for it, even if thousands of merchants continue to use it.
Thus, store admins are advised to take all of the necessary measures to ensure the security of their sites, as well as to check any community-provided patches released for Magento 1 (the PHP object injection issue, for example, has a fix).
Related: Skimmer Injected Into 100 Real Estate Websites via Cloud Video Platform
Related: Adobe Warns of Critical Flaws in Magento, Connect
Related: Hundreds of Magento Stores Hacked Daily in Major Skimming Campaign
More from Ionut Arghire
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
- 500k Impacted by Data Breach at Debt Buyer NCB
- Chinese Cyberspies Use ‘Melofee’ Linux Malware for Stealthy Attacks
- Microsoft Cloud Vulnerability Led to Bing Search Hijacking, Exposure of Office 365 Data
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
