Large-scale Magecart Campaign Targets Older Magento Platforms To Compromise

Payment successfulgreen tick But credit card Skimmed shocked

Large-scale Magecart campaign targets older Magento platforms to compromise 

magecart

Source: arxan.com

Security Issue

  • Recent research uncovered a new large-scale Magecart campaign which involves eighty websites.
  • All of the compromised platforms use older Magento platforms, as they are easy to exploit.
  • There is a sudden rise in this type of attacks, as e-commerce website owners continue to ignore software upgrades and security patches.

How they do it?

Malicious actors have used moderately strong JavaScript code obfuscation and anti-detection methods. The compromised websites deploy older versions of the Magento platform that carry known and published exploits. 

merchandize mules

source: arxan.com

This indicates that the actors are after heavy wallets, so their targeting isn’t random at all. The malicious code is inserted onto the server-side checkout payment form and is incorporated in the e-commerce site source code. Customers who enter their payment details like credit card information, CVC codes, names, expiration dates, etc.,have this data captured and transferred directly onto the actor’s server. The transactions on the e-commerce website go through as normal, and the platform receives all of the expected transaction reports with nothing else indicating a problem.

Having all this data in their hands, the actors can buy stuff from online shops, pass them through merchandise mules, who finally ship them to the buyer’s destination. This form of activity has been growing in popularity lately, as crooks find it relatively safe, reliable, and very profitable. 

All that said, customers aren’t expected to analyze and de-obfuscate the JavaScript code that lies on the source of the checkout form webpages. The responsibility to secure this sensitive data burdens the e-commerce website administrators, who really can’t have any excuse for not doing the best they can.

Prevention

  1. First, make sure that all your web-server is fully patched to their latest versions, this includes everything from operating system level patches, Magento security patches and software all the way to the extensions and third-party code that runs as part of your website.
  2. Older version plugins are being exploited. Run through the website and disable those extensions that are not entirely mandatory. 
  3. It is recommended that site owners should try to adopt Content Security Policy (CSP) throughout their sites particularly on the critical parts of the website – cart page, checkout page. 
  4. Apply rules that blacklists and blocks requests/responses using known malicious domains / IOCs used by Magecart. 
  5. Have a security expert audit your web code and then implement a security solution that will alert your team when suspicious activities take place on your website. You could use website security monitoring tool such as Sucuri If it is a linux server, Linux audit files could be used to see who made changes to a file.

Magento Security Patches

SUPEE-11155, Magento Commerce 1.14.4.2 and Open Source 1.9.4.2 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities. Learn more

Need help to implement Magento security enhancements in your website? Please feel free to contact us .

Leave a comment

Your email address will not be published. Required fields are marked *