Hundreds of ecommerce websites running an outdated and unsupported platform have been targeted by MageCart credit card skimming attacks.
Researchers from Sansec initially discovered 374 infections that occured on the same day, with the same malware - although further analysis put the final number of infected websites at over 500.
Sansec said the attackers used the naturalfreshmalll.com domain (already defunct) to load the malware onto ecommerce websites running Magento 1, Adobe’s open-source ecommerce platform, written in PHP. Magento 1 reached its end-of-life on June 30, 2020, meaning it no longer receives regular security and usability updates, making it a perfect target for cybercriminals.
Quickview vulnerability abused
The researchers believe the attackers took advantage of a known vulnerability found in the Quickview plugin, which allowed them to create a Magento admin account with the highest privileges.
The next step was to just inject a credit card skimmer, with one of the affected websites seeing the attackers inject 19 different backdoors, probably to test out what works best.
The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.
Ecommerce website owners are advised to upgrade their sites to the latest version of Magento to make sure they stay safe from these attacks.
MageCart is a term used interchangeably between the actual credit card skimming code, and the groups using the code. Cybersecurity researchers have identified “dozens of subgroups” that use these skimmers.
Besides credit card numbers, MageCart attackers are also interested in obtaining shipping addresses, full names of the victims, phone numbers, email addresses, and any and all other information needed to place an order online.
- You might also want to check out our list of the best endpoint protection software available now
Via: BleepingComputer
