Massive Breach Hits 500 E-Commerce SitesHackers Targeted E-Commerce Sites Running on Magento 1
Researchers have detected a massive breach of more than 500 stores using the Magento 1 e-commerce platform
"All stores were victims of a payment skimmer loaded from the naturalfreshmall.com domain. We invited victims to reach out to us, so we could find a common point of entry and protect other merchants against a potential new attack," researchers at Dutch security firm Sansec say.
Once the investigation was concluded, the researchers identified that the attackers used a combination of an SQL injection and PHP Object Injection attack to gain control of the Magento store.
More than 350 ecommerce stores infected with malware in a single day.— Sansec (@sansecio) January 25, 2022
Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.
All of the targeted sites were still using the 12-year-old Magento 1 e-commerce platform, which Adobe stopped supporting on June 30, 2020. Adobe has urged customers to upgrade to the newer platform but according to previous research by Sansec, about 95,000 e-commerce sites still rely on the older version.
In previously reported Magecart-style attacks, a malicious skimming script was injected into payment checkout pages, and credit card and personal information was skimmed off and sent to a remote server, according to analysis by security firm Trend Micro.
Kunal Modasiya, senior director of product management at PerimeterX, says Magecart attackers are always looking for ways to avoid detection in their quest to steal the credit card information of customers. In this attack, 500 stores were the victim of a payment card skimmer loaded onto the naturalfreshmall.com domain.
Researchers at Sansec say that the attackers abused a known leak in the Quickview plug-in that allows customers to conveniently view products in a Quick View pop-up without leaving the current page.
While this is often abused to inject rogue Magento admin users, the researchers say that in this case, the attackers used this flaw to run code directly on the server.
"First, the attacker abused Quickview to add a validation rule to the customer_eav_attribute table, then the added validation rule is (the result of UNHEX()), which performs the opposite operation of HEX(). This POI payload is used to trick the host application into crafting a malicious object. In this case, Zend_Memory_Manager and Zend_CodeGenerator_Php_File are used to create a file called api_1.php with a simple backdoor," the Sansec researchers say.
But adding it to the database will not run the code. Magento actually needs to unserialize the data, which the researchers say is a "clever" act because by "using the validation rules for new customers, the attacker can trigger an unserialize by simply browsing the Magento sign up page."
This step helps an attacker to run any PHP code via the api_1.php backdoor. In this case, the researchers found that the attacker had left no less than 19 backdoors on the system.
"It is essential to eliminate each and every one of them because leaving one in place means that your system will be hit again next week. The actual payment interception code was added to the core_config_data table in the design/footer/absolute_footer section," the researchers say.
They share a list of files that were either entirely malicious or are part of the Magento code but had malicious code added to them and recommend running a malware scanner because a user system could have similar or entirely different backdoors.
Isolate, Remove, Block
"Given the continued issues with outdated versions of the Magento platform, it is critical that e-commerce companies get real-time alert notifications for the payment card data leak. They should also quickly isolate any third-party library changes that have caused the incident and quickly mitigate the risk by removing or updating the third-party library and blocking the PCI incident to prevent further PCI data leaks," Modasiya says.