Brute force attacks are being used to compromise Magento sites to scrape payment card data and deliver cryptomining malware.
Flashpoint researchers said at least 1,000 Magento admin panels have been compromised and attackers are writing a simple script to cycle through common and known default Magento credentials to break into the accounts, according to an April 2, blog post.
“Once the attacker has control of the site's Magento CMS admin panel, they have unfettered access to the site and the ability to add any script they choose,” researchers said in the post. “In this case, the attackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed.”
The attacks are also able to avoid detection and update the malicious files daily in order to sidestep signature- and behavior-based detection, researchers said. Most of the victims are in the education and healthcare industries and the IP addresses of the compromised panels appear to be in the United States and Europe.
To prevent infection, researchers recommend Magento admins review CMS account logins and mitigate their exposure to brute-force attacks by enforcing proper password-hygiene practices.