'Largest ever' Magecart hack compromises 2,000 online stores

The personal details of tens of thousands of customers were stolen from just one compromised Magento-powered site

Magecart hackers attacked 1,904 individual online stores supported with the out-of-date Magento 1 platform this weekend in an automated campaign said to be the largest spree that researchers have detected.

The cyber gang, which conventionally targets online e-commerce platforms to steal customer payment card information, infected ten stores on Friday 11 September, 1,058 sites on Saturday, 603 on Sunday and 233 on Monday, according to Sansec.

To illustrate the scale of the devastation caused, tens of thousands of customers have had their private information stolen from just one of the compromised stores, suggesting many more have been affected when looking at the bigger picture.

Sansec researchers claim this represents the largest single Magecart campaign ever recorded since the cyber security firm began monitoring in 2015. The previous record was 962 hacked stores in a single day in July 2019. Magecart was also the group that targeted British Airways, Ticketmaster and Newegg as part of a series of crippling hacks in 2018.

“The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming,” the Sansec threat research team said. “Criminals have been increasingly automating their hacking operations to run web skimming schemes on as many stores as possible.

The web skimming campaign hit online stores using the Magento 1 e-commerce platform, which entered its end-of-life phase in June 2019 - and was no longer supported with updates 12 months on. 

Alarmingly, more than 95,000 sites still use Magento 1, according to the company, with customers advised to upgrade to the up-to-date Magento 2 e-commerce platform instead.

Many of the victimised stores have no history of security incidents, suggesting a new attack method was used to gain server access to all targeted platforms. Although Sansec is still investigating the method of infiltration, the firm suggests the attack may be related with a recent Magento 1 zero-day exploit that was put up for sale a few weeks ago.

The remote code execution (RCE) exploitation method, which included an instruction video, was purportedly put up for sale for $5,000. The alleged exploit would be far more potent now than ever given that Magento 1 is end-of-life, and its developer, Adobe, won’t be providing official patches to fix the bug. 

A forensic investigation of this particular attack on two compromised servers showed that hackers used these systems to interact with the Magento admin panel, and used the Magento Connect feature to download and install various files, including malware. The malware file was automatically deleted after the malicious code was injected.

There is a complete list of compromised sites, but Sansec has only made this available to law enforcement. 

Magecart has been very active over the previous few years, having gained notoriety for compromising online e-commerce platforms in order to skim customer payment information. 

Another incident saw Magecart hackers automate a process for compromising exposed domains hosted on misconfigured Amazon S3 buckets in July last year. The incident saw 17,000 domains targeted, with Magecart attempting to run scripts on sites to glean and steal payment information that can be sold on for profit.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

8 most secure web browsers
web browser

8 most secure web browsers

25 Sep 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020
How to enable private browsing on any device
privacy

How to enable private browsing on any device

22 Sep 2020
Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Windows XP source code allegedly leaked online
Microsoft Windows

Windows XP source code allegedly leaked online

25 Sep 2020