Threat Management, Malware, Network Security

Malware campaign infects thousands of Magento e-commerce sites

Over the last six months, a recently discovered, highly prolific payment card-scraping campaign managed to infect more than 7,000 online stores running on the open-source Magento e-commerce software platform.

In an Aug. 30 blog post, Dutch security researcher Willem de Groot reported that the operation involved online payment skimming malware called MagentoCore. Of the 7,339 e-shops found to be impacted, at least 1,450 of them were infected for the entire half-year period the threat has existed.

De Groot further explained that MagentoCore skimmers "gain illicit access to the control panel of an e-commerce site, often with brute force techniques," then embed Javascript into the HTML template. The malicious script records keystrokes and "sends everything in real-time to the server, registered in Moscow."

Additionally, the malware also inserts a backdoor for periodic downloads, removes competing malware, and changes the passwords of common staff user names.

In the two weeks preceding the researcher's post, the attackers were infecting websites at a clip of 50 to 60 stores per day, according to de Groot.

"Magento is an open-source platform and for this reason is also a favorite target of bad actors. This latest attack was likely carried out through password guessing and exploited vulnerabilities in Magento servers..." said Devon Merchant, digital security and operations manager at The Media Trust, in emailed comments. "The vulnerabilities might lie in the web application source code, enabling bad actors to manipulate the code and inject rogue script into the HTML template. The script then logs keystrokes and sends them to a command-and-control server."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.