Well-known cybersecurity expert and founder of Sanguine Security (SanSec) Willem de Groot (Willem de Groot) warned of the largest ever campaign aimed at compromising online stores based on the e-commerce platform Magento. According to the expert, this is the largest attack since 2015.
“Last Friday, 10 stores were infected, followed by 1058 on Saturday, 603 on Sunday and 233 more today,” de Groot wrote on Monday, September 14, 2020. “This automated campaign is the largest ever detected by Sansec since the start of observations in 2015. The previous record was 962 hacked stores in one day in July last year. “
All of these attacks were typical of MageCart hackers: the attackers hacked into websites and injected malicious scripts into their code, recording and stealing the bank card data of users, which they entered during ordering.
Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious code) on the pages of online stores to steal card data. But this approach was so successful that the group soon had numerous imitators, and the name MageCart became a household name, and now they denote a whole class of such attacks.
SanSec experts write that most of the hacked sites used the outdated version of Magento 1.x, whose support was finally discontinued on June 30, 2020. Interestingly, even last year, cybersecurity experts predicted an increase in attacks on Magento 1.x, fearing that in the end from 200,000 to 240,000 resources could be vulnerable. Fortunately, the number of vulnerable sites has decreased since then, and currently it is about 95,000.
ZDNet also recalls that this summer, some information security specialists expressed concern that new vulnerabilities in Magento 1.x had not been discovered for a long time. The fact is that this is a very uncharacteristic picture, since the 1.x branch has long been considered old and full of holes. Experts feared that the hackers were deliberately “holding back” their Magento 1.x exploits and waited until the end of the support period to make sure that Adobe developers did not fix the vulnerabilities. It looks like these experts were right.
While SanSec analysts have yet to establish exactly how the hackers hacked the affected sites, Willem de Groot writes that an advertisement for a zero-day vulnerability in Magento 1.x appeared on hacker forums last month, also confirming that the hackers were biding their time. In the ad, someone named z3r0day offered an RCE exploit for $ 5,000.