Russian hacker selling how-to vid on exploiting unsupported Magento installations to skim credit card details for $5,000

Nearly 2,000 e-commerce shops pwned over weekend so it's time to migrate

18 Reg comments Got Tips?

Thousands of e-commerce stores built using Magento 1 have been poisoned with malicious code that steals customers' bank card information as they enter their details to order stuff online.

Sansec, a software company focused on these so-called "digital skimming" attacks, discovered that 1,904 cyber-shops had been altered by miscreants over the weekend to include malicious JavaScript that siphoned off folks' card info.

"This automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015," it said in a statement on Monday. "The previous record was 962 hacked stores in a single day in July last year."

The security biz estimated attackers have stolen personal data from "tens of thousands customers" so far. The intrusions can be traced back to a Magneto 1 zero-day exploit being sold by a Russian-speaking hacker going by the name "z3r0day" on a shady online forum.

For $5,000, z3r0day will show you a video on how to exploit a security hole in the web software to inject the digital-skimming code into an e-commerce site's files so that the code is run when a customer goes to a payment page on the hijacked site. No authentication is required. The hacker promised not to sell the exploit to more than 10 people to keep it under wraps and valuable.

Unfortunately, the vulnerability isn't easy to patch as the Adobe-owned Magento has ended support for the software. The best way to avoid such attacks is to migrate to Magento 2, a spokesperson from Sansec told El Reg. "Ideally they should upgrade to Magento 2, but we understand that merchants may need more time. Meanwhile, we recommend having server-side malware monitoring set up and to contract an alternative vendor for critical security patches."

Techies at Sansec have studied two servers with IP addresses in the US and France that were targeted by crooks armed with z3r0day's exploit. The payment details appear to have been funnelled through to a website hosted in Moscow. "We are not at liberty to disclose affected merchants. However, we have shared all relevant data with law enforcement today," the Sansec spokesperson told us. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020