Thousands of online stores around the world have been hit by a major cybersecurity attack due to using outdated and unprotected ecommerce software (opens in new tab).
Almost 2,000 stores using the Magento (opens in new tab) ecommerce platform were affected in what security researchers described as the "largest documented campaign to date".
The attack was described by researchers at Sansec (opens in new tab), which uncovered the campaign, as, "a typical Magecart attack" where injected malicious code looked to intercept the payment information of unsuspecting customers.
- Check out the best money transfer apps and services (opens in new tab)
- This is the best shopping cart software (opens in new tab) around
- Here's the top credit card processing (opens in new tab) options to take payments online.
Sansec notes that the affected stores were found to be running Magento version 1, which was announced as reaching its end-of-life in June 2020, but is still used by around 95,000 stores worldwide.
The company detected 1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page, far larger than any other recorded attack since 2015, when it first began monitoring the software.
Sansec added that many of the affected stores had no prior history of security incidents, suggesting that a new attack method had been used to gain server (write) access. It noted that a Magento 1 0day (exploit) had been put up for sale on a hacking forum for $5000 a few weeks ago.
The company is working with the affected stores, and has made a complete list of compromised stores available to law enforcement agencies.
This is not the first time that Magento software has been flagged as a security risk recently. Back in May 2020, the FBI flagged (opens in new tab) that hackers were taking over online stores and stealing customers' payment card data by exploiting a three-year-old vulnerability in a Magento plugin.
Adding to the seriousness of the situation is the lack of PCI, or Payment Card Industry Data Security Standard compliance, which online traders need to be in line with.
Some payment providers have said they will no longer support merchants still on Magento 1, past EOL, however others have stated customers need to switch to Magento 2, meaning many retailers are still confused about the level of support they have.
- We've also highlighted the best antivirus (opens in new tab) software around
Via ZDNet (opens in new tab)