View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 24, 2018

Magecart Stockpiling Magento Extension 0days: Is Your Business at Risk?

Once one of the probes for compromised store extension software is successful, a malicious actor will come back and insert a customized Javascript payment overlay for the specific site.

By CBR Staff Writer

Notorious online credit card theft group Magecart has amassed a large number of previously unpublished security flaws in extensions to popular e-commerce platform Magento, and is using them to inject hidden credit card stealers on legitimate checkout pages.

That’s according to security consultant and malware hunter Willem de Groot, who has closely tracked the group – believed to be responsible for a wide range of attacks including the recent British Airways and Ticketmaster hacks.

Now he is calling for help to identity some of the vendors affected, based on extension URLs he has identified in the wild. (These include extensions to Magento that allow stores to manage discounts in bundles: with a 300,000-strong developer community, Magento offers plenty of customisations).

He told Computer Business Review: “These URLs are used by a hacker to find specific shop extensions, that are vulnerable to a specific attack. I want to inform all the affected vendors so they can release fixed versions, but I can’t identify all the vendors, just based on the URLs, so I’ve asked for help…”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

(Within hours infosec Twitter had come good and 13/20 were identified, with 4/20 confirmed fixed).

Magecart Attacks: The Modus Operandi

Magecart attacks

A fake credit card payment section is inserted

Here’s how the attacks work.

Once one of the probes for compromised store extension software is successful, a malicious actor will come back and insert a customized Javascript payment overlay for the specific site.

Willem de Groot said: “This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted.

See also: BA Hack: Precise Script, Threat Group Identified

In a detailed blog on the threat from Magecart attacks, he wrote: “While the extensions differ, the attack method is the same: PHP Object Injection (POI). This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize().”

He added: “[E-commerce platform] Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not.”

“It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions. I collected the following probes. If you are running any of them, you’d better disable them quickly and search your logs for unauthorized activity.”

For the list of probes, see here.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU