This article is more than 1 year old

Badmins: Magento shops brute-forced to scrape card deets and install cryptominers

Change your passw... ugh, what's the point?

Hackers have compromised hundreds of e-commerce sites running the popular open-source Magento platform to scrape credit card numbers and install crypto-mining malware.

The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials, threat intel firm Flashpoint has warned.

Image by LuckyN

Two years on, thousands of unpatched Magento shops still being carded


Flashpoint said it was aware of at least 1,000 compromised Magento admin panels. Attackers are also targeting other popular e-commerce-processing content management systems such as Powerfront CMS and OpenCarts.

Dark web forum chatter on how to launch the assaults has been ongoing since 2016.

Hacking insecure e-commerce sites has been turned into a cottage industry by black hats and dumbed down to suit the technically unskilled, Flashpoint noted.

"Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels."

Once a hacker has control of the site's Magento CMS admin panel, they can add any script they choose.

In one example tracked by Flashpoint, hackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.

The same techniques are also being used in attacks geared towards slinging the Rarog cryptocurrency miner.

Magento logo

If you're one of millions using Magento – stop whatever you're doing and patch now


Most of the victims among the 1,000 compromised panels belong to firms in the education and healthcare industries, largely in the US and Europe.

Flashpoint is working with law enforcement to notify victims of breaches. The sites so far detected probably represent only a sliver of the total compromised, many of which have been hacked by making basic security mistakes.

Magento admins are advised to review CMS account logins and mitigate their exposure to brute-force attacks by getting rid of weak passwords and enforcing two-factor authentication.

"Not changing the default credentials of a website CMS is like leaving the key on the outside of your front door," commented Martijn Grooten‏, editor of industry journal Virus Bulletin and some-time security researcher. ®

More about


Send us news

Other stories you might like