Posted on September 16, 2020 at 1:50 PM
In what seems to be the largest hacking campaign since 2015, close to 2,000 Magento stores were hacked over the weekend.
The hackers used a typical Magnbecart hacking scheme where they compromised sites and installed malicious scripts in the source code of the stores. They used the source codes to log payment card details of shoppers who filled checkout forms.
Founder of Sanguine Security Willem de Groot, who tracks Magecart attacks, revealed how the numbers have increased since the first 10 stores were compromised on Friday.
“On Friday, 10 stores got infected, then 1,058 on Saturday, 603 on Sunday and 233 today,” he said
He added that this attack is the biggest the monitoring outfit has seen since it began monitoring such types of attacks in 2015. The previous record was in July last year when 962 stores were hacked in a single day.
Many of the stores were running EOL version
Groot reiterated that many of the affected sites had the Magento 1.x version running on their online store’s platform.
The Magento version is no longer receiving security updates as it was outdated three months ago. But many of the sites were still using the outdated Magento software, which has been vulnerable because of their lack of updates.
Ironically, there has been an anticipation of such attacks on Magento 1.x software since last year. Adobe, which designed the Magento software, warned users of the software last year asking the store owners to update to the new version as soon as possible. But it seems many users with the old version did not take the advice, as most of the compromised online stores were still using the old Magento software version.
Apart from the initial warnings by Adobe on a possible attack on Magento 1.x stores, other security advisors also echoed Adobe’s warnings. Visa and Mastercard also issued similar security advisories on the likelihood of attacks on the old Magento 1.x version.
Also, several web security experts reported that the Magento 1.x vulnerability has not been seen for a while, which was not normal, since it was outdated and carries some security flaws.
As at then, the security experts thought that the hackers were deliberately delaying their attack to pounce when the expiry date for the old version has reached. Then, they will be sure Adobe no longer has update support for the version. With the attacks coming at this time, it seems the security experts were right.
Although Groot is not yet sure how the hackers were able to infiltrate the online stores targeted from Friday, he revealed that there have been ads on darknet forums posted for Magento 1. X zero-day vulnerability. This is the confirmation that the hackers delayed their attacks until Adobe no longer offered support for the version.
A user with the username z3r0day posted the ad, with claims he or she has a remote code execution (RCE) exploit for sale at $5,000.
Adobe warnings helped save bigger disaster
Adobe started warning the Magento 1.x users on the importance of migrating to a newer version since November last year. Since then, there has been a massive reduction of the number of Magento 1.x users, to 95,000 from 240,000 when the warning was mad.
Affected stores could have been higher
Although the number of migration was expected to be higher than that, it’s still good news that more than 60% of the old software users were able to migrate, which means they were not affected by the recent hack.
And there is another theory that the majority of the stores that have not yet migrated either have low user traffic or have been abandoned by their owners. But there are still some sites with high traffic still running the Magento 1×2 version and depending on web application firewall to prevent attacks.
While the strategy may be compliant with PCI rules, it is a risky one, which can lead to vulnerability issues future.
On a similar note, Adobe has announced a partnership with security firm SanSec for the integration of Sansec’s database to the Magento backend.