Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Idiot e-tailers falling for fake patch that exploits year-old Magento hole

Crims lifting customers' credit card records thanks to negligent failure to apply patch

Malware researcher Denis Sinegubko says attackers are compromising and stealing credit cards from online shops that run on eBay's Magento platform by masquerading as an applied patch for a nasty bug in a bid to hide from admins.

The dangerous "shoplift" bug patched last year is a remote code execution hole that turns hackers into store admins. Despite the potential for mayhem, the flaw has not been patched by many users.

Shops can test their exposure through Magento's service.

Sinegubko says the attackers are finding success popping exposed sites that have not found time in the last 12 months to patch.

"While the patch was released February 2015 many sites unfortunately did not update, which gave hackers an opportunity to compromise thousands of Magento powered online stores," Sinegubko says.

"[Hackers could] create admin users within the Magento application [and] afterwards append JavaScript to the files allowing them to strip payment information right from the order forms ... in some instances they would modify a series of PHP files that would disseminate the payment information during the payment processing phase."

Even low success rates could yield tidy profits; Magento is the most popular content management system for online shops and the fourth most popular overall.

Sinegubko says attackers are piggybacking on the importance of the update, even borrowing the name of the Magento Core Team to make its 160 lines of fake patch code appear more legitimate.

The malware will harvest customer credentials and credit cards using different components, encrypting the data immediately before it is woven into a realistic-looking jpg.

"As we can see, the Magento malware ecosystem is maturing and attracting more hackers, and they’re bringing their arsenal of tried and true tricks and methods from WordPress and Joomla! malware with them," he says.

The shoplift bug is the most common vulnerability probe Magento sites are experiencing, meaning admins should apply the old patch immediately. Attackers are also running brute force attacks against logins, and attempting to hop across co-located and vulnerable WordPress sites, according to Sinegubko. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like