Thousands of Magento stores hacked in a few days in largest-ever skimming campaign

Thousands of Magento online stores have been hacked over the past few days as part of the largest ever skimming campaign.

Security experts from cybersecurity firm Sansec reported that nearly 2,000 Magento online stores have been hacked over the past few days as part of the largest ever Magecart-style campaign. Most of the hacked sites were running Magento 1 version, but in some cases, the compromised stores were running Magento 2. Sansec researchers confirmed that this is the largest automated campaign they have observed to date since 2015

Experts reported that threat actors compromised over 1,000 stores on Saturday, other 600 on Sunday, and over 200 on Monday.

“Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the largest automated campaign to date. It was a typical Magecart attack: injected malicious code would intercept the payment information of unsuspected store customers.” read the analysis published by the researchers. “Inspected stores were found running Magento version 1, which was announced End-Of-Life last June.”

The previous record was 962 compromised Magento stores in a single day that occurred in July 2019.

In the recent attacks, threat actors planted a software skimmer on the hacked websites that were designed to steal payment data entered by users on the checkout page. Then the attackers were exfiltrating it to a server hosted in Russia.

Sansec researchers speculate that tens of thousands of customers of the online stores had their personal and financial information stolen over the weekend.

Experts believe the crooks might be using a new exploit code for the popular CMS that was offered a few weeks ago on a hacking forum for $5,000 by a Russian seller that goes online with the moniker ‘z3r0day.’ z3r0day declared that he was selling only 10 copies of its exploit.

The exploit works on online powering the Magento 1 version that still running on 95,000 websites.

“According to live Sansec data, some 95 thousand Magento 1 stores are still operating as of today.” concludes the analysis.

“Official PCI requirements are to use a malware & vulnerability scanner on the server, such as Sansec’s eComscan. Sansec also recommends to subscribe to alternative Magento 1 patch support, such as provided by Mage One.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MAgecart)

[adrotate banner=”5″]

[adrotate banner=”13″]