Notorious online credit card theft group Magecart has amassed a large number of previously unpublished security flaws in extensions to popular e-commerce platform Magento, and is using them to inject hidden credit card stealers on legitimate checkout pages.
That’s according to security consultant and malware hunter Willem de Groot, who has closely tracked the group – believed to be responsible for a wide range of attacks including the recent British Airways and Ticketmaster hacks.
Now he is calling for help to identity some of the vendors affected, based on extension URLs he has identified in the wild. (These include extensions to Magento that allow stores to manage discounts in bundles: with a 300,000-strong developer community, Magento offers plenty of customisations).
He told Computer Business Review: “These URLs are used by a hacker to find specific shop extensions, that are vulnerable to a specific attack. I want to inform all the affected vendors so they can release fixed versions, but I can’t identify all the vendors, just based on the URLs, so I’ve asked for help…”
Multiple 0days used by Magecart. Need your help to identify all vendors!https://t.co/WMt21jRJGr pic.twitter.com/17GBzyR0rq
— Willem de Groot (@gwillem) October 23, 2018
(Within hours infosec Twitter had come good and 13/20 were identified, with 4/20 confirmed fixed).
Magecart Attacks: The Modus Operandi
Here’s how the attacks work.
Once one of the probes for compromised store extension software is successful, a malicious actor will come back and insert a customized Javascript payment overlay for the specific site.
Willem de Groot said: “This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted.
See also: BA Hack: Precise Script, Threat Group Identified
In a detailed blog on the threat from Magecart attacks, he wrote: “While the extensions differ, the attack method is the same: PHP Object Injection (POI). This attack vector abuses PHP’s unserialize()
function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize()
.”
He added: “[E-commerce platform] Magento replaced most of the vulnerable functions by json_decode()
in patch 8788, but many of its popular extensions did not.”
“It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions. I collected the following probes. If you are running any of them, you’d better disable them quickly and search your logs for unauthorized activity.”
For the list of probes, see here.