Nearly 2000 Magento 1 stores hacked over the weekend

Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the largest documented campaign to date. It was a typical Magecart attack: injected malicious code would intercept the payment information of unsuspected store customers. Inspected stores were found running Magento version 1, which was announced End-Of-Life last June.

The Sansec early breach detection system, which monitors the global ecommerce space for security threats, detected 1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page. On Friday, 10 stores got infected, then 1058 on Saturday, 603 on Sunday and 233 today.

This automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015. The previous record was 962 hacked stores in a single day in July last year. The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming. Criminals have been increasingly automating their hacking operations to run web skimming schemes on as a many stores as possible.

Sansec estimates that tens of thousands of customers had their private information stolen over the weekend via one of the compromised stores.

Magento exploit for $5000

Many victimized stores have no prior history of security incidents. This suggests that a new attack method was used to gain server (write) access to all these stores. While we are still investigating the exact vector, this campaign may be related to a recent Magento 1 0day (exploit) that was put up for sale a few weeks ago.

User z3r0day announced on a hacking forum to sell a Magento 1 “remote code execution” exploit method, including instruction video, for $5000. Allegedly, no prior Magento admin account is required. Seller z3r0day stressed that – because Magento 1 is End-Of-Life – no official patches will be provided by Adobe to fix this bug, which renders this exploit extra damaging to store owners using the legacy platform.

To sweeten the deal, z3r0day pledged to only sell 10 copies of the dangerous exploit. Translated from Russian:

According to live Sansec data, some 95 thousand Magento 1 stores are still operating as of today.

Official PCI requirements are to use a malware & vulnerability scanner on the server, such as Sansec’s eComscan. Sansec also recommends to subscribe to alternative Magento 1 patch support, such as provided by Mage One.

UPDATE: Attack method

As of Monday, Sansec is running a forensic investigation on two compromised servers. Attacker(s) used the IPs 92.242.62.210 (US) and 91.121.94.121 (OVH, FR) to interact with the Magento admin panel and used the “Magento Connect” feature to download and install various files, including a malware called mysql.php. This file was automatically deleted after the malicious code was added to prototype.js.

2020-09-14T09:57:06  92.242.62.210  GET /downloader/ HTTP/1.1
2020-09-14T09:57:09  92.242.62.210  POST /downloader/ HTTP/1.1
2020-09-14T09:57:09  92.242.62.210  GET /index.php/admin/?SID=XXXX HTTP/1.1
2020-09-14T09:57:10  92.242.62.210  GET /index.php/admin/dashboard/index/key/<hash>/ HTTP/1.1
2020-09-14T09:57:13  92.242.62.210  GET /index.php/admin/system_config/index/key/<hash>/ HTTP/1.1
2020-09-14T09:57:15  92.242.62.210  GET /index.php/admin/system_config/edit/section/dev/key/<hash>/ HTTP/1.1
2020-09-14T09:57:19  92.242.62.210  POST /index.php/admin/system_config/save/section/dev/key/<hash>/ HTTP/1.1
2020-09-14T09:57:20  92.242.62.210  GET /index.php/admin/system_config/edit/section/dev/key/<hash>/ HTTP/1.1
2020-09-14T09:57:22  92.242.62.210  GET /index.php/admin/import/index/key/<hash>/ HTTP/1.1
2020-09-14T09:57:25  92.242.62.210  POST /index.php/admin/import/validate/key/<hash>/ HTTP/1.1
2020-09-14T09:57:25  92.242.62.210  GET /downloader/ HTTP/1.1
2020-09-14T09:57:28  92.242.62.210  POST /downloader/index.php?A=connectInstallPackageUpload&maintenance=1&archive_type=0&backup_name= HTTP/1.1
2020-09-14T09:57:29  92.242.62.210  GET /downloader/index.php?A=cleanCache HTTP/1.1
2020-09-14T09:57:31  92.242.62.210  GET /mysql.php HTTP/1.1

The web server logs indicate that numerous attempts were made to install files over the weekend, possibly to install improved versions of the skimmer.

Skimmer analysis: mcdnn.net

For the affected Magento 1 stores, a skimmer loaded was added to the file prototype.js which is part of a standard Magento installation.

The //mcdnn.net/122002/assets/js/widget.js serves dynamic content, depending on what page it is being included on. Only when referenced from a checkout page, it will serve the malicious, keystroke logging code:

The actual payments are being exfiltrated to a Moscow-hosted site at https://imags.pw/502.jsp, on the same network as the mcdnn.net domain.

Source: sansec.io