Security

Russian hacker selling how-to vid on exploiting unsupported Magento installations to skim credit card details for $5,000

Nearly 2,000 e-commerce shops pwned over weekend so it's time to migrate


Thousands of e-commerce stores built using Magento 1 have been poisoned with malicious code that steals customers' bank card information as they enter their details to order stuff online.

Sansec, a software company focused on these so-called "digital skimming" attacks, discovered that 1,904 cyber-shops had been altered by miscreants over the weekend to include malicious JavaScript that siphoned off folks' card info.

"This automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015," it said in a statement on Monday. "The previous record was 962 hacked stores in a single day in July last year."

The security biz estimated attackers have stolen personal data from "tens of thousands customers" so far. The intrusions can be traced back to a Magneto 1 zero-day exploit being sold by a Russian-speaking hacker going by the name "z3r0day" on a shady online forum.

For $5,000, z3r0day will show you a video on how to exploit a security hole in the web software to inject the digital-skimming code into an e-commerce site's files so that the code is run when a customer goes to a payment page on the hijacked site. No authentication is required. The hacker promised not to sell the exploit to more than 10 people to keep it under wraps and valuable.

Unfortunately, the vulnerability isn't easy to patch as the Adobe-owned Magento has ended support for the software. The best way to avoid such attacks is to migrate to Magento 2, a spokesperson from Sansec told El Reg. "Ideally they should upgrade to Magento 2, but we understand that merchants may need more time. Meanwhile, we recommend having server-side malware monitoring set up and to contract an alternative vendor for critical security patches."

Techies at Sansec have studied two servers with IP addresses in the US and France that were targeted by crooks armed with z3r0day's exploit. The payment details appear to have been funnelled through to a website hosted in Moscow. "We are not at liberty to disclose affected merchants. However, we have shared all relevant data with law enforcement today," the Sansec spokesperson told us. ®

Send us news
18 Comments

ChatGPT side-channel attack has easy fix: Token obfuscation

Also: Roblox-themed infostealer on the prowl, telco insider pleads guilty to swapping SIMs, and some crit vulns

Alibaba bins listing for its Cainiao logistics limb

Already backed away from cloud spinout, now gradually breaking up with its own breakup plan

South Korea cracks down on offshore e-commerce, with seeming focus on China

Seoul wants AliExpress and Temu to step up customer service, maybe Meta too

Microsoft confirms memory leak in March Windows Server security update

ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns

It's 2024 and North Korea's Kimsuky gang is exploiting Windows Help files

New infostealer may indicate a shift in tactics – and maybe targets too, beyond Asia

Cisco is a fashion retailer now, with a spring collection to prove it

Promises quarterly lookbooks of branded tat, powered by branded kit

Chinese PC-maker Acemagic customized its own machines to get infected with malware

Tried to speed boot times, maybe by messing with 'Windows source code', ended up building a viral on-ramp

That home router botnet the Feds took down? Moscow's probably going to try again

Non-techies told to master firmware upgrades and firewall rules. For the infosec hardheads: have some IOCs

Zeus, IcedID malware kingpin faces 40 years in slammer

Nearly a decade on the FBI’s Cyber Most Wanted List after getting banks to empty vics' accounts

Cybercriminals are stealing iOS users' face scans to break into mobile banking accounts

Deepfake-enabled attacks against Android and iPhone users are netting criminals serious cash

Bumblebee malware wakes from hibernation, forgets what year it is, attacks with macros

Trying to break in with malicious Word documents? How very 2015 of you

North Korea running malware-laden gambling websites as-a-service

$5k a month for the site. $3k for tech support. Infection with malware and funding a despot? Priceless