Magento online store hacked into biggest campaign ever

More than 2,000 Magento’s online stores have been hacked over the weekend, described by security researchers as “the biggest campaign ever”.

The attack was a typical Mazzart scheme where hackers broke down sites and then placed malicious scripts inside the store’s source code, codes that logged payment card details that shoppers entered inside checkout forms.

“10 stores were infected on Friday, then 1,058 on Saturday, 603 on Sunday, and 233 today”, said Willem de Groot, founder of a Dutch cyber-security firm that is a Sarkine security-security firm, looking at Meccart attacks Special in keeping.

“This automated campaign is the largest it has identified since Sansec started surveillance in 2015,” de Groot said. “The previous record was 962 hacked stores One day in July last year. “

Most stores were running the EOL version

SanSec Execution stated that most of the compromised sites were running version 1.x of Magento online store software.

This Magento version reached end-of-life (EOL) on 30 June 2020, and is currently not receiving a security update.

Ironically, attacks against sites now running upgraded Magento 1.x software have been feared since last year when Adobe – which owns Magento – in November 2019 required store owners to update the 2.x branch The first alert was issued.

Adobe’s early warning about imminent attacks on Magento 1.x stores was later echoed in a similar security advisory issued by MasterCard and Visa on Spring.

In our coverage of MasterCard and Visa Alert, several experts in the web security community told this reporter that the new Magento 1.x vulnerabilities had not been noticed in a while, which was obsolete, as the 1.x branch was older and was Loaded with security holes.

At the time, those security experts believed that hackers were intentionally sitting on their Magento 1.x adventures and waiting for EOL to arrive, to ensure that Adobe didn’t patch their bugs.

It seems that those experts were right.

Although de Groot has not yet identified how the hackers broke down on the targeted sites over the weekend, the SanSec founder said that a 1.x zero-day vulnerability ad was posted for Magento on underground hacking forums last month, which Confirming this, hackers were gearing up to get around EOL.

In advertisement, a user is going by the name z3r0day A remote code execution (RCE) was offered to sell for $ 5,000, an offer that was considered reliable at the time.


Picture: SanSec

The good news is that since November 2019, when Adobe began urging owners of Magento to relocate to the new branch, the number of Magento 1.x stores has grown from 240,000 to 110,000 in June 2020 and 95,000 today.

The speed is slow, but it is assumed that most of the shops that have not been updated are abandoned and there is very little user traffic. However, some highly trafficked sites are still running the 1.x branch and rely on web application firewalls (WAFs) to prevent attacks.

This is a risky strategy that, while it may be PCI compliant, may not be a smart decision in the long run.

In related news, Adobe also announced last week It partners with SanSec to integrate a signature database of over 9,000 Magento malware signatures into the Magento backend. Security scan equipment.