Hundreds of e-commerce sites trapped by payment card skimming malware

About 500 e-commerce websites were recently compromised by hackers who installed a credit card skimmer that surreptitiously stole sensitive data when visitors attempted to make a purchase.

A report released on Tuesday is just the latest regarding Magecart, an umbrella term given to competing criminal groups that infect e-commerce sites with skimmers. Over the past few years, thousands of sites have been hit by exploits that caused them to run malicious code. When visitors enter payment card details during purchase, the code sends them to servers controlled by the attacker.

Fraud courtesy of Naturalfreshmall[.]com

Sansec, the security firm that uncovered the latest batch of infections, said the compromised sites all loaded malicious scripts hosted on the naturalfreshmall domain.[.]com.

“The Natural Fresh skimmer displays a fake payment window, defeating the security of a hosted (PCI compliant) payment form,” researchers at the firm said. wrote on Twitter. “Payments are sent to https://naturalfreshmall[.]com/payment/Payment.php. »

The hackers then modified existing files or planted new files which provided no less than 19 backdoors that the hackers could use to retain control of the sites in case the malicious script was detected and removed and the vulnerable software was updated. day. The only way to completely sanitize the site is to identify and remove the backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.

Sansec worked with the administrators of the hacked sites to determine the common entry point used by the attackers. Researchers eventually determined that the attackers were combining an SQL injection exploit with a PHP object injection attack in a Magento plugin called Quickview. The exploits allowed attackers to execute malicious code directly on the web server.

They accomplished this code execution by abusing Quickview to add a validation rule to the customer_eav_attribute table and injecting a payload that tricked the host application into creating a malicious object. Then they registered as a new user on the site.

“However, simply adding it to the database will not run the code,” explained the Sansec researchers. “Magento actually needs to deserialize the data. And there is the ingenuity of this attack: using new customer validation rules, the attacker can trigger deserialization by simply browsing the Magento registration page.

It’s not hard to find sites that remain infected more than a week after Sansec first reported the campaign on Twitter. At the time this post was online, Bedexpress[.]com continued to contain this HTML attribute, which extracts JavaScript from the rogue naturalfreshmall[.]domain com.

The hacked sites were running Magento 1, a version of the e-commerce platform that was retired in June 2020. The safest bet for any site still using this outdated package is to upgrade to the latest version of Adobe Commerce. Another option is to install the available open source patches for Magento 1 using DIY software from the OpenMage project or with commercial support from Mage-One.

It is generally difficult for people to detect payment card skimmers without special training. One option is to use anti-virus software such as Malwarebytes, which examines the JavaScript served on a visited website in real time. People may also want to avoid sites that appear to use outdated software, although this is hardly a guarantee that the site is safe.

Comments are closed.