Magecart hackers change tactic and target vulnerable Magento extensions

Magecart cybercrime gang made the headlines again, the cyber criminal gang is now targeting vulnerable Magento Extensions.

Magecart cybercrime gang switches tactic, it is now targeting vulnerable Magento extensions. instead of compromising large websites or third-party services to steal credit card data.

In previous campaigns, attackers customize the attack for each victim tailoring the code for each target site according to the information gathered through an initial reconnaissance phase. The avoid the detection, Magecart hackers injected only into specific pages.

In the last months, the gang hit several major platforms, including British Airways, Newegg, Ticketmaster, and Feedify.

The new attack was detailed by the researcher Willem de Groot, the hackers are now exploiting zero-day vulnerabilities in popular store extension software in order to inject skimmer scripts.

“Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turns out, thieves are massively exploiting unpublished security flaws (aka 0days) in popular store extension software.” continues the expert.

“While the extensions differ, the attack method is the same: PHP Object Injection (POI).

Now attackers leverage PHP Object Injection (POI) by abusing PHP’s unserialize() function in order to compromise websites. With this attack method, they are able to modify the database or any JavaScript file.

According to de Groot, many popular PHP applications continue to use unserialize(), but while Magento has replaced most of the vulnerable functions, many of its extensions are still flawed.

“This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site.” continues the researcher.

“With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize(). Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not.”

The attackers have analyzed a large number of extensions and discovered numerous POI vulnerabilities, then they are scanning the Internet for Magento installs using these extensions.

Once the attackers have found a vulnerable store they exploit the zero-day to insert a JavaScript payment overlay customized for the specific target site.

“Once any of the probes above is successful, a malicious actor will come back and insert a customized Javascript payment overlay for the specific site. This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted.” states the researcher.

“Once a user enters his CC details and clicks submit, the fake credit card form disappears and the unsuspecting (?) user will likely try again. The fake form will not show a second time, because a cookie is set to prevent that.”

Further details are included in the analysis published by the researcher.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Magecart, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]