Malware researcher Denis Sinegubko says attackers are compromising and stealing credit cards from online shops that run on eBay's Magento platform by masquerading as an applied patch for a nasty bug in a bid to hide from admins.
The dangerous "shoplift" bug patched last year is a remote code execution hole that turns hackers into store admins. Despite the potential for mayhem, the flaw has not been patched by many users.
Shops can test their exposure through Magento's service.
Sinegubko says the attackers are finding success popping exposed sites that have not found time in the last 12 months to patch.
"While the patch was released February 2015 many sites unfortunately did not update, which gave hackers an opportunity to compromise thousands of Magento powered online stores," Sinegubko says.
Even low success rates could yield tidy profits; Magento is the most popular content management system for online shops and the fourth most popular overall.
Sinegubko says attackers are piggybacking on the importance of the update, even borrowing the name of the Magento Core Team to make its 160 lines of fake patch code appear more legitimate.
The malware will harvest customer credentials and credit cards using different components, encrypting the data immediately before it is woven into a realistic-looking jpg.
"As we can see, the Magento malware ecosystem is maturing and attracting more hackers, and they’re bringing their arsenal of tried and true tricks and methods from WordPress and Joomla! malware with them," he says.
The shoplift bug is the most common vulnerability probe Magento sites are experiencing, meaning admins should apply the old patch immediately. Attackers are also running brute force attacks against logins, and attempting to hop across co-located and vulnerable WordPress sites, according to Sinegubko. ®