Application Security , Cybercrime , Cybercrime as-a-service

Massive Breach Hits 500 E-Commerce Sites

Hackers Targeted E-Commerce Sites Running on Magento 1
Massive Breach Hits 500 E-Commerce Sites
Code is run directly on the server to steal payment data.

Researchers have detected a massive breach of more than 500 stores using the Magento 1 e-commerce platform

See Also: The State of Organizations' Security Posture as of Q1 2018

"All stores were victims of a payment skimmer loaded from the domain. We invited victims to reach out to us, so we could find a common point of entry and protect other merchants against a potential new attack," researchers at Dutch security firm Sansec say.

Once the investigation was concluded, the researchers identified that the attackers used a combination of an SQL injection and PHP Object Injection attack to gain control of the Magento store.

All of the targeted sites were still using the 12-year-old Magento 1 e-commerce platform, which Adobe stopped supporting on June 30, 2020. Adobe has urged customers to upgrade to the newer platform but according to previous research by Sansec, about 95,000 e-commerce sites still rely on the older version.

In May 2021, researchers at Malwarebytes Labs' Threat Intelligence Team found that Magecart Group 12, which is known for skimming payment cards from e-commerce websites using JavaScript skimmers, is using an updated attack technique to gain remote administrative access to sites that run an older version of Adobe's Magento software (see: Magecart Skimming Tactics Evolve).

In previously reported Magecart-style attacks, a malicious skimming script was injected into payment checkout pages, and credit card and personal information was skimmed off and sent to a remote server, according to analysis by security firm Trend Micro.

In September 2020, Sanguine Security researchers warned that about 2,000 sites that used the 12-year-old Magento 1 e-commerce platform had been targeted by JavaScript skimmers designed to steal payment card data during the online checkout process (see: Payment Card Skimming Hits 2,000 E-Commerce Sites).

Kunal Modasiya, senior director of product management at PerimeterX, says Magecart attackers are always looking for ways to avoid detection in their quest to steal the credit card information of customers. In this attack, 500 stores were the victim of a payment card skimmer loaded onto the domain.

Attack Details

Researchers at Sansec say that the attackers abused a known leak in the Quickview plug-in that allows customers to conveniently view products in a Quick View pop-up without leaving the current page.

While this is often abused to inject rogue Magento admin users, the researchers say that in this case, the attackers used this flaw to run code directly on the server.

"First, the attacker abused Quickview to add a validation rule to the customer_eav_attribute table, then the added validation rule is (the result of UNHEX()), which performs the opposite operation of HEX(). This POI payload is used to trick the host application into crafting a malicious object. In this case, Zend_Memory_Manager and Zend_CodeGenerator_Php_File are used to create a file called api_1.php with a simple backdoor," the Sansec researchers say.

But adding it to the database will not run the code. Magento actually needs to unserialize the data, which the researchers say is a "clever" act because by "using the validation rules for new customers, the attacker can trigger an unserialize by simply browsing the Magento sign up page."

This step helps an attacker to run any PHP code via the api_1.php backdoor. In this case, the researchers found that the attacker had left no less than 19 backdoors on the system.

"It is essential to eliminate each and every one of them because leaving one in place means that your system will be hit again next week. The actual payment interception code was added to the core_config_data table in the design/footer/absolute_footer section," the researchers say.

They share a list of files that were either entirely malicious or are part of the Magento code but had malicious code added to them and recommend running a malware scanner because a user system could have similar or entirely different backdoors.

Isolate, Remove, Block

"Given the continued issues with outdated versions of the Magento platform, it is critical that e-commerce companies get real-time alert notifications for the payment card data leak. They should also quickly isolate any third-party library changes that have caused the incident and quickly mitigate the risk by removing or updating the third-party library and blocking the PCI incident to prevent further PCI data leaks," Modasiya says.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.