Account Takeover Fraud , Card Not Present Fraud , Cybercrime
Payment Card Skimming Hits 2,000 E-Commerce SitesResearchers: Hackers May Have Used Magento Zero-Day Exploit
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The hackers may have used a zero-day exploit for Magneto that was being sold on a darknet forum, the security firm reports.
Adobe ceased support June 30 for the 12-year-old Magento 1 e-commerce platform that all of the targeted sites were still using. Adobe has urged customers to upgrade to the newer platform, but Sanguine Security's research shows about 95,000 e-commerce sites still rely on the older version.
Sanguine Security spotted 10 infected e-commerce sites on Friday, 1,058 on Saturday, 600 on Sunday and 233 on Monday.
"Tens of thousands" of consumers’ payment card data potentially could have been exposed in this skimmer attack, according to the report.
"This automated campaign is by far the largest one that [Sanguine Security] has identified since it started monitoring in 2015. The previous record was 962 hacked stores in a single day in July last year," according to the report.
Sanguine Security did not notify the affected e-commerce sites, but the security firm says it’s making the complete list of targeted sites available to law enforcement.
"We are aware of a blog post outlining recent security attacks on the Magento 1 platform. As we announced in September 2018, Adobe ended support for Magento 1 - both Magento Open Source and Magento Commerce - effective June 30, 2020. This issue did not impact customers on the latest version of Magento 2," Adobe tells ISMG in an email.
Magento Widely Used
Adobe Magento is one of the world's most widely used e-commerce platforms, with about 250,000 users, according to Adobe's website.
Adobe reported another Magneto-related security incident in November 2019.
The company said a vulnerability in the Magento e-commerce marketplace was exploited by an unknown third party to access account information (see: Magento Marketplace Suffers Data Breach, Adobe Warns).
Exploit for Sale
The Sanguine Security researchers note that many of the targeted e-commerce firms had no history of security incidents, indicating the attackers may have exploited a zero-day vulnerability.
"While we are still investigating the exact vector, this campaign may be related to a recent Magento 1 zero-day [exploit] that was put up for sale a few weeks ago," according to the report.
Someone using the online handle "z3r0day" announced on a underground hacking forum a Magento 1 "remote code execution" exploit, including an instructional video, was available for purchase for $5,000, according to the report.
"Seller z3r0day stressed that - because Magento 1 is end-of-life - no patches will be provided by Adobe to fix this bug, which renders this exploit extra damaging to store owners using the legacy platform," the Sanguine Security report notes.
Sanguine Security researchers describe the targeting of the e-commerce sites as "a typical Magecart attack." Magecart is an umbrella term used to describe groups that inject malicious code to intercept payment information (see: Magecart Group Continues Targeting E-Commerce Sites).
The number of sites that were targeted in a four-day period indicates some form of automation was likely used, the researchers say. Cybercriminals have been increasingly automating their hacking operations to run web skimming schemes, they note.
Sanguine Security says it’s running a forensic investigation on two compromised servers. So far, the company has found "attackers used the IPs 126.96.36.199 (U.S.) and 188.8.131.52 (France) to interact with the Magento admin panel and used the 'Magento Connect' feature to download and install various files, including a malware called mysql.php. This file was automatically deleted after the malicious code was added to prototype.js."
The web server logs identified by the Sanguine Security researchers indicate that several attempts were made to install files over the weekend - possibly to install improved versions of the skimmer, the report notes.
"The actual payments are being exfiltrated to a Moscow-hosted site,” according to the report.