Categories: Breaking NewsCyber CrimeHackingMalware

Thousands of Magento websites compromised to serve malware

Security experts have discovered that thousands of websites running the eBay’s Magento e-commerce platform have been compromised and used to deliver malware.

Security experts at Sucuri have discovered a malware campaign that targeted a large number of websites the eBay Magento e-commerce platform. The same campaign was also monitored by the researchers at Malwarebytes which focused their analysis on the client side.

According to the security experts, the attackers compromised websites running Magento and injected malicious scripts that were used to create iframes from the “guruincsite.com” domain.

The threat actors compromised Magento installations by exploiting a zero-day directory traversal flaw in the third-party mass importer tool Magmi.

The guruincsite domain is known to security firms, according to the Google Safe Browsing the domain has been used to infect more than 8,000 domains. The domain was also used to host a Neutrino exploit kit used to serve a malware.

“The name ‘guruincsite‘ was also familiar to us because it happened to be part of the redirection infrastructure in our ‘neitrino‘ campaign. It turned out that this was the same attack Sucuri was seeing on the server side as what we were seeing on the client side via web exploits.” states the blog post published by Malwarebytes.

The specific campaign uncovered by the experts relies on the Neutrino Exploit Kit to deliver the Andromeda/Gamarue malware triggering a Flash Player vulnerability.

Denis Sinegubko from Sucuri explained that Magento website administrators can discover the infection by checking the design/footer/absolute_footer entry in the core_config_data table.

“The malware is usually injected in the design/footer/absolute_footer entry of the core_config_datatable, but we suggest scanning the whole database for code like “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “guruincsite” domain name.” states the blog post from Sucuri.

Magento e-commerce platform is a privileged target for cybercriminals, in April experts at Sucuri reported another malicious campaign that was exploiting a flaw within 24 hours after its disclosure.

In June, the researchers from Sucuri discovered a malicious code used by criminals to syphon payment card data from websites based on the Magento e-commerce Platform.

Pierluigi Paganini

(Security Affairs – Magento, cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.