Web Skimmer Injected Into Hundreds of Magento-Powered Stores
More than 500 online stores running the Magento 1 eCommerce platform were compromised with a digital skimmer, eCommerce security firm Sansec says.
What made the attack stand out was the clever use of a combination of SQL injection and PHP object injection, which ultimately provided the attackers with control of the Magento store. On all infected websites, the payment skimmer was being loaded from the naturalfreshmall(.)com domain.
The initial intrusion vector was a known vulnerability in the Quickview plugin, which attackers typically use to inject rogue admin users into vulnerable Magento stores.
In this case, however, the weakness was abused to add a validation rule that resulted in a file containing a simple backdoor being added to the database. The validation rules for new customers would then be used to trigger the code execution by simply browsing the Magento sign up page.
According to Sansec, the attackers deployed no less than 19 backdoors on the compromised system, meaning that affected sites need to eliminate all of them to make sure they won’t fall victim to follow-up attacks.
Sansec has published a list of files that were found to either be entirely malicious or to contain malicious code, and advises potential victims to run a malware scanner to identify these files and other indicators of compromise.
The eCommerce security firm also points out that the Magento 1 platform has reached End-of-Life and that Adobe no longer provides security updates for it, even if thousands of merchants continue to use it.
Thus, store admins are advised to take all of the necessary measures to ensure the security of their sites, as well as to check any community-provided patches released for Magento 1 (the PHP object injection issue, for example, has a fix).