Magecart Cybergang Targets 0days in Third-Party Magento Extensions

Over two dozen third-party ecommerce plugins contain zero-day vulnerabilities being exploited in a recent Magecart campaign.

Criminals behind the Magecart gang have shifted tactics, and are now targeting nearly two dozen unpatched vulnerabilities found in third-party plugins used in the Magento e-commerce platform.

Previously, the Magecart cybergang had focused on the core of Magento, using attack strategies such as brute-force password cracking of front-end systems to compromise e-commerce sites. But now, Magecart attackers have set their sights on Hypertext Preprocessor (PHP) vulnerabilities found in external component developed by third-parties for the platform, according to independent security consultant Willem de Groot.

“Magento itself is quite secure,” said de Groot in an interview with Threatpost. “The platform has proper security, with release management and a bug-bounty program. But, a system is only as secure as its weakest link. And all the extra software components people install with their Magento-powered stores are the weakest link.”

In his recent analysis of Magecart, posted Tuesday, de Groot found that the criminal group is still using the same tried and true PHP Object Injection (POI) technique it has has used to compromise other e-commerce websites and the WordPress, Joomla and Drupal content management systems.

“It appears that Magento has amassed a large number of extensions, and Magecart has found numerous POI vulnerabilities inside of them,” he said. Magecart has not only been observed probing massive numbers of Magento stores for vulnerable extensions, but has also used them to breach a handful of sites themselves, de Groot added.

“This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize(). Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not,” de Groot wrote.

In all, the researcher identified over two dozen extensions with POI vulnerabilities that have no patches. “It’s up to the individual developers of these extensions to patch the vulnerabilities. Unfortunately, most of the websites using these extensions have no idea they have a vulnerability,” he said.

One of the extensions is called Aheadworks, and is used by Magento customers to assist in a variety of e-commerce functions ,such as customer loyalty programs and coupon codes. According to the developer, Aheadworks products have been installed 250,000 times by over 50,000 merchants. Aheadworks is releasing a patch to fix their extensions on Thursday, according to de Groot.

Magecart, in operation since 2015, has been blamed for an array of recent breaches, including high-profile attacks against the Ticketmaster and British Airways websites. Earlier this month, Magecart was blamed in an attack on Shopper Approved – a piece of third-party software that provides rating seals for online stores.

While the Magento platform was not used in the Shopper Approved compromise, the attack was similar in nature to those identified by de Groot. Magecart attackers used weaknesses in the third-party Shopper Approved software to install digital card skimmers on multiple online stores. In those instances, scripts were injected into websites and used to steal PII and financial data entered into online payment forms.

“It takes an extremely large amount of effort to compromise one e-commerce site,” de Groot said to Threatpost. “If they can find a vulnerability in just one of the Magento extensions, an attacker would be able to compromise a multitude of sites, or any site that use the same extension.”

The researcher advises admin of any of the vulnerable Magento extensions to disable them quickly and “search your logs for unauthorized activity.”

Suggested articles