More than 6,000 online stores running eBay's Magento platform have been hacked with credit cards stolen under a campaign that could span almost two years, Germany's Federal Office for Information Security says.
Attackers are injecting carding malware on unpatched Magento shops, which steals payment information during transactions.
The Office does not know how many cards have been compromised in the attacks, but says 1,000 of the affected stores are in Germany.
It first noticed and began warning shops of the attacks in September, but said many appear to have done nothing to fix the problem, or have been re-infected.
Dutch developer and hacker Willem de Groot first reported carding attacks against unpatched Magento shops in October, saying at the time that attackers had compromised some 6,000 sites spanning 18 months.
It is not confirmed that the latest attacks are from the same actor groups, but it is likely to be linked. Criminals will often cash in on compromising known-vulnerable systems once attack campaigns are made public, such as the current boom in MongoDB ransom breaches.
The US National Republican Senatorial Committee was then the most high-profile scalp in the campaign, which shipped cards to Russian IP addresses. De Groot estimated some 21,000 credit cards were stolen at the time.
The German agency today tried again to warn shop operators they had been compromised.
"Unfortunately, there are still indicators that many operators have been negligent in securing their online stores," BSI president Arne Schönbohm says [German].
"A variety of shops are running outdated software versions which contain several known vulnerabilities. Operators must fulfill their customer responsibilities and ensure their services are fixed quickly and consistently."
Schönbohm says shops have an obligation to pursue good security should they wish to continue to operate.
He pointed Magento operators to de Groot's free vulnerability scanning service. ®