Notorious online credit card theft group Magecart has amassed a large number of previously unpublished security flaws in extensions to popular e-commerce platform Magento, and is using them to inject hidden credit card stealers on legitimate checkout pages.
That’s according to security consultant and malware hunter Willem de Groot, who has closely tracked the group – believed to be responsible for a wide range of attacks including the recent British Airways and Ticketmaster hacks.
Now he is calling for help to identity some of the vendors affected, based on extension URLs he has identified in the wild. (These include extensions to Magento that allow stores to manage discounts in bundles: with a 300,000-strong developer community, Magento offers plenty of customisations).
He told Computer Business Review: “These URLs are used by a hacker to find specific shop extensions, that are vulnerable to a specific attack. I want to inform all the affected vendors so they can release fixed versions, but I can’t identify all the vendors, just based on the URLs, so I’ve asked for help…”
Once one of the probes for compromised store extension software is successful, a malicious actor will come back and insert a customized Javascript payment overlay for the specific site.
Willem de Groot said: “This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted.
In a detailed blog on the threat from Magecart attacks, he wrote: “While the extensions differ, the attack method is the same: PHP Object Injection (POI). This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize().”
He added: “[E-commerce platform] Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not.”
“It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions. I collected the following probes. If you are running any of them, you’d better disable them quickly and search your logs for unauthorized activity.”
For the list of probes, see here.
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.
Industry leading data and analysis for the FDI community
Close
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site you consent to the use of cookies. OKPrivacy policy
