Magecart Group attacks Magento online stores

Dozens of extensions for CMS Magento contain vulnerabilities used by attackers from the Magecart group to install online skimmers. Dutch analyst Willem de Groot has found more than twenty plug-ins that have unpatched gaps through which cybercriminals steal bank card data from customers of online stores. The expert tried to contact the authors of the problematic applications, but in most cases did not receive a response.

As the expert explained, the platform’s vulnerabilities allowing for PHP injection are used to attack. The Magento team patched these gaps with the SUPEE-8788 patch back in October 2016. The problem lies in the unserialize () function, which allows you to inject third-party PHP applet into the executable code. The developers of the engine have replaced it with json_decode (), however, the authors of many popular extensions for CMS have not yet updated their projects.

The researcher found that Magecart scans the Internet in search of sites containing vulnerable extensions, and hacks them by adding their code to the payment algorithm. In the process of placing an order, malicious JavaScript displays a fake window for entering bank card data, which is then forwarded to intruders. After sending the information, the phishing dialog is closed, and the user is able to enter his payment details again – this time through the legitimate form of the store.

According to the results of a quick search on the network, the IB-specialist found 27 online stores with hacked payment acceptance systems. Willem de Groot also identified 21 plugins using the unserialize () function and allowing the injection of third-party code. Some of them were abandoned by their authors, and in some cases developers were not installed. At the moment, the creators of only seven problem extensions have released patches or promised to do so in the near future.

In September of this year, a researcher from the Netherlands discovered a larger campaign aimed at online stores managed by Magento. As the expert found out, more than 7 thousand of such sites contain the code of a skimmer stealing bank card data. Unlike the Magecart grouping, the attackers did not exploit software vulnerabilities, but used brute force attacks to crack targeted resources. Cybercriminals have implemented a MagentoCore script on a compromised site.


Leave a Reply

Your email address will not be published. Required fields are marked *