One of the largest known Magecart campaigns to date took place over the weekend, with nearly 2,000 e-commerce sites hacked in an automated campaign that may be linked to a zero-day exploit. The attacks have impacted tens of thousands of customers, who had their credit-card and other information stolen, researchers said.
According to Sansec Threat Intelligence, online stores running Magento versions 1 and 2 are being targeted in a classic Magecart attack pattern, where e-commerce sites are hacked, either via a common vulnerability or stolen credentials. If a compromise is successful, merchant websites are then injected with a web skimmer, which surreptitiously exfiltrates personal and banking information entered by customers during the online checkout process.
The firm’s telemetry picked up “1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page,” the firm said in a posting on Monday. “On Friday, 10 stores got infected, then 1058 on Saturday, 603 on Sunday and 233 today….Most stores were running Magento version 1, which was announced end-of-life last June. However, some stores were running Magento 2.”
In delving into the campaign, Sansec researchers were able to determine that many victimized stores had no prior history of security incidents; and, they speculated that the attacks may be linked to a $5,000 Magento exploit that went up for sale in August in underground forums. The zero-day allows a brand-new avenue to gaining server (write) access to fully patched websites.
“User z3r0day announced on a hacking forum to sell a Magento 1 remote code-execution exploit method, including instruction video, for $5,000,” according to Sansec, who added that the seller pledged to only sell 10 copies of the exploit.
“Allegedly, no prior Magento admin account is required,” the firm noted. “Seller z3r0day stressed that – because Magento 1 is end-of-life – no official patches will be provided by Adobe to fix this bug, which renders this exploit extra-damaging to store owners using the legacy platform.”
Around 95,000 Magento 1 stores are still operating despite the lack of support, the firm added.
Sansec’s forensic investigation showed that on Magento 1 stores, a skimmer was injected into the file “prototype.js,” which is part of a standard Magento installation. For the affected Magento 2 stores, a skimmer was found in a jquery.js file, hidden in the Magento 2 code base. In both cases, the same malware is loaded from a malicious mcdnn.net domain, while the data is exfiltrated to a Moscow-hosted site at https://imags.pw/502.jsp, on the same network as the mcdnn.net domain.
“Attacker(s) used the U.S.-based IP 22.214.171.124 to interact with the Magento admin panel, and used the ‘Magento Connect’ feature to download and install various files, including a malware called mysql.php. This file was automatically deleted after the malicious code was added to prototype.js.”
The web server logs indicate that numerous attempts were made to install files over the weekend, possibly to install improved versions of the skimmer.
“This automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015,” researchers said. “The previous record was 962 hacked stores in a single day in July last year. The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming. Criminals have been increasingly automating their hacking operations to run web skimming schemes on as many stores as possible.”
Researchers recently reported that they have seen an uptick in the number of e-commerce sites that are being attacked by Magecart and related groups, dovetailing with new tactics. Earlier in September, Magecart was seen using the secure messaging service Telegram as a data-exfiltration mechanism.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.