Magecart Hackers Now Targeting Vulnerable Magento Extensions
25.10.2018 securityweek Incindent Vulnerebility
After compromising large websites or third-party services they use in order to steal credit card information, the Magecart hackers have now turned to vulnerable Magento extensions.
The hackers only inject their code after thorough reconnaissance, as the code in each attack is specifically tailored for the targeted site and blends in with the rest of the domain’s resources. The code is injected only into specific pages, to remain unnoticed but ensure efficiency.
Active for a couple of years, the hackers have only recently started targeting large platforms, including British Airways, Ticketmaster, Newegg, and cloud service provider Feedify, which has attracted a lot of attention. Last month, the operation hit Shopper Approved.
Now, security researcher Willem de Groot reveals that the attackers have switched to targeting unpublished vulnerabilities in popular store extension software.
Many popular PHP applications continue to use unserialize(), de Groot reveals. While Magento has replaced most of the vulnerable functions, many of its extensions did not.
“It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions,” the researcher, who published a list of the impacted extensions, explains.
As soon as the user enters their credit card data and submits it, the fake payment form disappears. The user is likely to try entering their information again, but the fake form is only showed once, because a cookie is set to ensure that. The code, de Groot reveals, uses a two-step payment exfiltration method.