Idiot e-tailers falling for fake patch that exploits year-old Magento hole

Crims lifting customers' credit card records thanks to negligent failure to apply patch

Malware researcher Denis Sinegubko says attackers are compromising and stealing credit cards from online shops that run on eBay's Magento platform by masquerading as an applied patch for a nasty bug in a bid to hide from admins.

The dangerous "shoplift" bug patched last year is a remote code execution hole that turns hackers into store admins. Despite the potential for mayhem, the flaw has not been patched by many users.

Shops can test their exposure through Magento's service.

Sinegubko says the attackers are finding success popping exposed sites that have not found time in the last 12 months to patch.

"While the patch was released February 2015 many sites unfortunately did not update, which gave hackers an opportunity to compromise thousands of Magento powered online stores," Sinegubko says.

"[Hackers could] create admin users within the Magento application [and] afterwards append JavaScript to the files allowing them to strip payment information right from the order forms ... in some instances they would modify a series of PHP files that would disseminate the payment information during the payment processing phase."

Even low success rates could yield tidy profits; Magento is the most popular content management system for online shops and the fourth most popular overall.

Sinegubko says attackers are piggybacking on the importance of the update, even borrowing the name of the Magento Core Team to make its 160 lines of fake patch code appear more legitimate.

The malware will harvest customer credentials and credit cards using different components, encrypting the data immediately before it is woven into a realistic-looking jpg.

"As we can see, the Magento malware ecosystem is maturing and attracting more hackers, and they’re bringing their arsenal of tried and true tricks and methods from WordPress and Joomla! malware with them," he says.

The shoplift bug is the most common vulnerability probe Magento sites are experiencing, meaning admins should apply the old patch immediately. Attackers are also running brute force attacks against logins, and attempting to hop across co-located and vulnerable WordPress sites, according to Sinegubko. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2022