Over 2000 Magento Online Stores were Hacked

Over 2,000 Magento stores were compromised over the weekend. The private information of thousands of customers has been hacked in the largest automated campaign to date.

Dubbed “CardBleed”, it was a typical Magecart attack: injected malicious code would intercept the payment information of unsuspected store customers.

According to Sansec, on Friday, 10 stores got infected, then 1058 on Saturday, 603 on Sunday, and 233 more on Monday.

The previous record was 962 hacked stores in a single day in July last year. Sansec estimates that tens of thousands of customers had their private information stolen over the weekend via one of the compromised stores.

z3r0day Exploit

Not all compromised stores have been part of earlier Magecart attacks, where hackers used a new method to gain the server access of all the stores. Sancec still investigating the exact vector, this campaign may be related to a recent Magento 1 0day (exploit) that was put up for sale a few weeks ago.

“User z3r0day announced on a hacking forum to sell a Magento 1 ‘remote code execution’ exploit method, including instructional video, for $5,000,” Sansec wrote. “Allegedly, no prior Magento admin account is required. Seller z3r0day stressed that – because Magento 1 is End-Of-Life – no official patches will be provided by Adobe to fix this bug, which renders this exploit extra damaging to store owners using the legacy platform.”

In an update to the blog post Sansec said the attackers “used the IPs 92.242.62.210 (US) and 91.121.94.121 (OVH, FR) to interact with the Magento admin panel and used the “Magento Connect” feature to download and install various files, including a malware called mysql.php.” The file was then automatically deleted once the malicious code had been added to prototype.js.

The web server logs indicated that numerous attempts were made to install files over the weekend, possibly to install improved versions of the skimmer.

A skimmer loader was then added to prototype.js with payments “exfiltrated to a Moscow-hosted site at https://imags.pw/502.jsp, on the same network as the mcdnn.net domain,” the researchers wrote.