Analysts have discovered the root of a large breach affecting over 500 Magento 1 e-commerce platforms. The breach included a single domain putting credit card skimmer on all platforms. The attack was found late last month when Sansec’s crawler discovered 374 infections on the same day, all employing the same malware.
Threat actors loaded the malware from the domain naturalfreshmall[.]com, which is presently offline, and their purpose was to steal credit card information from customers at the targeted online retailers. According to Sansec’s analysis, the attackers exploited a known vulnerability in the Quickview plugin to inject rogue Magento admin users who could then launch code with the highest privileges.
The exploit is carried out by inserting a validation rule into the customer_eav_attribute table. The host app is tricked into creating a malicious object, then used to create a basic backdoor (api_1.php). The attack’s ingenious aspect is the validation requirements for new clients, which cause the payload to be injected into the sign-up page. The hackers may exploit the api_1.php backdoor to execute instructions on the remote server, leading to a total site takeover, in addition to injecting the credit card skimmer.
In practice, however, the threat actors benefit more from siphoning payment data via MageCart attacks (skimmers), which is why this round of attacks concentrated on accomplishing just that. According to Sansec, in one extreme scenario, the attackers inserted as many as 19 backdoors into a single e-commerce platform, either as a test to see what works best for them or simply because they were concerned about redundancy.
Since June 30, 2020, Adobe has discontinued supporting the Magento 1 branch of the popular e-commerce platform, yet hundreds of sites continue to use the obsolete software. As a result, the sites are open to many hacker attacks, putting their clients’ sensitive data at risk. This data usually includes credit card numbers, mailing addresses, names, phone numbers, and email addresses, as well as anything else required to complete an online transaction. All Magento administrators should make sure they’re on the most recent version of the platform and upgrade if they’re on an older, unsupported version.
