More than 350 ecommerce sites running Magento 1 were hit with the same strain of MageCart malware the week of Jan. 31, a card skimming attack that exploited a known leak in the Quickview plugin, according to a report from security provider Sansec.
While the Quickview vulnerability “is typically abused to inject rogue Magento admin users, in this case the attacker used the flaw to run code directly on the server,” according to Sansec.
A total of 374 ecommerce sites fell victim to a payment skimmer loaded from the domain naturalfreshmall.com. “Attackers used a clever combination of an SQL injection (SQLi) and PHP Object Injection (POI) attack to gain control of the Magento store,” Sansec reported.
The hackers left 19 backdoors on the system, which could be used to regain control over a site if the malicious script was detected and the software updated. “It is essential to eliminate each and every one of them, because leaving one in place means that your system will be hit again next week,” the company advised.
A POI payload was used to trick the host Magento application into crafting a malicious object, which was then inserted by exploiting the validation rules for signing up a new customer. Once the hacker then signed up, the malicious code was executed.
While Magento 1 was retired by parent company Adobe in June 2020 and thus no longer supported with updates and security patches, thousands of ecommerce sites still run it. In addition to running malware monitoring screens, Sansec advised companies to use community-provided open-source patches such as OpenMage or use commercial support via Mage-One.
To learn more about fighting back against account takeover (ATO) threats posed by attacks via the dark web and the large deep web, join us for a free Multichannel Merchant webinar this Thursday, Feb. 17 at 2p EST. Led by a security professional from Sift, it’s entitled “The Dark Web, Account Takeovers and You.”