'Largest ever' Magecart hack compromises 2,000 online stores

The personal details of tens of thousands of customers were stolen from just one compromised Magento-powered site

Magecart hackers attacked 1,904 individual online stores supported with the out-of-date Magento 1 platform this weekend in an automated campaign said to be the largest spree that researchers have detected.

The cyber gang, which conventionally targets online e-commerce platforms to steal customer payment card information, infected ten stores on Friday 11 September, 1,058 sites on Saturday, 603 on Sunday and 233 on Monday, according to Sansec.

To illustrate the scale of the devastation caused, tens of thousands of customers have had their private information stolen from just one of the compromised stores, suggesting many more have been affected when looking at the bigger picture.

Sansec researchers claim this represents the largest single Magecart campaign ever recorded since the cyber security firm began monitoring in 2015. The previous record was 962 hacked stores in a single day in July 2019. Magecart was also the group that targeted British Airways, Ticketmaster and Newegg as part of a series of crippling hacks in 2018.

“The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming,” the Sansec threat research team said. “Criminals have been increasingly automating their hacking operations to run web skimming schemes on as many stores as possible.

The web skimming campaign hit online stores using the Magento 1 e-commerce platform, which entered its end-of-life phase in June 2019 - and was no longer supported with updates 12 months on. 

Alarmingly, more than 95,000 sites still use Magento 1, according to the company, with customers advised to upgrade to the up-to-date Magento 2 e-commerce platform instead.

Many of the victimised stores have no history of security incidents, suggesting a new attack method was used to gain server access to all targeted platforms. Although Sansec is still investigating the method of infiltration, the firm suggests the attack may be related with a recent Magento 1 zero-day exploit that was put up for sale a few weeks ago.

The remote code execution (RCE) exploitation method, which included an instruction video, was purportedly put up for sale for $5,000. The alleged exploit would be far more potent now than ever given that Magento 1 is end-of-life, and its developer, Adobe, won’t be providing official patches to fix the bug. 

A forensic investigation of this particular attack on two compromised servers showed that hackers used these systems to interact with the Magento admin panel, and used the Magento Connect feature to download and install various files, including malware. The malware file was automatically deleted after the malicious code was injected.

There is a complete list of compromised sites, but Sansec has only made this available to law enforcement. 

Magecart has been very active over the previous few years, having gained notoriety for compromising online e-commerce platforms in order to skim customer payment information. 

Another incident saw Magecart hackers automate a process for compromising exposed domains hosted on misconfigured Amazon S3 buckets in July last year. The incident saw 17,000 domains targeted, with Magecart attempting to run scripts on sites to glean and steal payment information that can be sold on for profit.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
How to encrypt files and folders in Windows 10
encryption

How to encrypt files and folders in Windows 10

9 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Evidence suggests REvil behind Harris Federation ransomware attack
ransomware

Evidence suggests REvil behind Harris Federation ransomware attack

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021