An automated campaign Magecart campaign against 2,000 Magento stores over the weekend compromised the private information of thousands of customers and may very well be the largest attack of its kind since 2015.

The hacks were typical Magecart attacks, but since many of the stores victimized had no prior history of security incidents, “this suggests that a new attack method was used to gain server (write) access to all these stores,” according to a blog post from Sansec researchers who discovered the hacks. The incidents are still under investigations but Sansec said, the campaign could be related to a recent Magento 1 zeroday exploit “that was put up for sale” weeks ago.

Magento 1.0 sites remain an attractive target for hackers looking to steal logins, personal data and financial data. This version no longer receives software updates as of June 2020, leaving sites exposed to zero day vulnerabilities such as the one that was exploited in this attack,” said Ameet Naik, security evangelist at PerimeterX.

“The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming,” Sansec said. “Criminals have been increasingly automating their hacking operations to run web skimming schemes on as a many stores as possible.”

“User z3r0day announced on a hacking forum to sell a Magento 1 ‘remote code execution’ exploit method, including instruction video, for $5,000,” Sansec wrote. “Allegedly, no prior Magento admin account is required. Seller z3r0day stressed that – because Magento 1 is End-Of-Life – no official patches will be provided by Adobe to fix this bug, which renders this exploit extra damaging to store owners using the legacy platform.”

In an update to the blog post Sansec said the attackers “used the IPs 92.242.62.210 (US) and 91.121.94.121 (OVH, FR) to interact with the Magento admin panel and used the “Magento Connect” feature to download and install various files, including a malware called mysql.php.” The file was then automatically deleted once the malicious code had been added to prototype.js.

A skimmer loader was then added to prototype.js with payments “exfiltrated to a Moscow-hosted site at https://imags.pw/502.jsp, on the same network as the mcdnn.net domain,” the researchers wrote.

“Hackers can easily scan for outdated versions of Magento and use automated bots to access them, upload shell scripts, and install the card skimming malware,” said Paul Bischoff, privacy advocate with Comparitech. “Card skimming attacks are undetectable by end users, so the responsibility falls on website operators to update their systems to the latest version of Magento. At this point, any website using Magento 1.x should be assumed compromised.”