'Largest ever' Magecart hack compromises 2,000 online stores

The personal details of tens of thousands of customers were stolen from just one compromised Magento-powered site

Magecart hackers attacked 1,904 individual online stores supported with the out-of-date Magento 1 platform this weekend in an automated campaign said to be the largest spree that researchers have detected.

The cyber gang, which conventionally targets online e-commerce platforms to steal customer payment card information, infected ten stores on Friday 11 September, 1,058 sites on Saturday, 603 on Sunday and 233 on Monday, according to Sansec.

To illustrate the scale of the devastation caused, tens of thousands of customers have had their private information stolen from just one of the compromised stores, suggesting many more have been affected when looking at the bigger picture.

Sansec researchers claim this represents the largest single Magecart campaign ever recorded since the cyber security firm began monitoring in 2015. The previous record was 962 hacked stores in a single day in July 2019. Magecart was also the group that targeted British Airways, Ticketmaster and Newegg as part of a series of crippling hacks in 2018.

“The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming,” the Sansec threat research team said. “Criminals have been increasingly automating their hacking operations to run web skimming schemes on as many stores as possible.

The web skimming campaign hit online stores using the Magento 1 e-commerce platform, which entered its end-of-life phase in June 2019 - and was no longer supported with updates 12 months on. 

Alarmingly, more than 95,000 sites still use Magento 1, according to the company, with customers advised to upgrade to the up-to-date Magento 2 e-commerce platform instead.

Many of the victimised stores have no history of security incidents, suggesting a new attack method was used to gain server access to all targeted platforms. Although Sansec is still investigating the method of infiltration, the firm suggests the attack may be related with a recent Magento 1 zero-day exploit that was put up for sale a few weeks ago.

The remote code execution (RCE) exploitation method, which included an instruction video, was purportedly put up for sale for $5,000. The alleged exploit would be far more potent now than ever given that Magento 1 is end-of-life, and its developer, Adobe, won’t be providing official patches to fix the bug. 

A forensic investigation of this particular attack on two compromised servers showed that hackers used these systems to interact with the Magento admin panel, and used the Magento Connect feature to download and install various files, including malware. The malware file was automatically deleted after the malicious code was injected.

There is a complete list of compromised sites, but Sansec has only made this available to law enforcement. 

Magecart has been very active over the previous few years, having gained notoriety for compromising online e-commerce platforms in order to skim customer payment information. 

Another incident saw Magecart hackers automate a process for compromising exposed domains hosted on misconfigured Amazon S3 buckets in July last year. The incident saw 17,000 domains targeted, with Magecart attempting to run scripts on sites to glean and steal payment information that can be sold on for profit.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Bridging the DevSecOps divide: Spotlight on key relationships
Whitepaper

Bridging the DevSecOps divide: Spotlight on key relationships

3 Dec 2021
Planned Parenthood cyber attack exposes data of 400,000 patients
cyber attacks

Planned Parenthood cyber attack exposes data of 400,000 patients

3 Dec 2021
Bridging the DevSecOps divide: Spotlight on zero trust
Whitepaper

Bridging the DevSecOps divide: Spotlight on zero trust

3 Dec 2021
Bridging the developer and security divide
Whitepaper

Bridging the developer and security divide

3 Dec 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021