'Largest ever' Magecart hack compromises 2,000 online stores

A photo of a person holding a bank card in one hand and their phone in the other, sitting at a laptop and making a purchase online
(Image credit: Shutterstock)

Magecart hackers attacked 1,904 individual online stores supported with the out-of-date Magento 1 platform this weekend in an automated campaign said to be the largest spree that researchers have detected.

The cyber gang, which conventionally targets online e-commerce platforms to steal customer payment card information, infected ten stores on Friday 11 September, 1,058 sites on Saturday, 603 on Sunday and 233 on Monday, according to Sansec.

To illustrate the scale of the devastation caused, tens of thousands of customers have had their private information stolen from just one of the compromised stores, suggesting many more have been affected when looking at the bigger picture.

Sansec researchers claim this represents the largest single Magecart campaign ever recorded since the cyber security firm began monitoring in 2015. The previous record was 962 hacked stores in a single day in July 2019. Magecart was also the group that targeted British Airways, Ticketmaster and Newegg as part of a series of crippling hacks in 2018.

“The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming,” the Sansec threat research team said. “Criminals have been increasingly automating their hacking operations to run web skimming schemes on as many stores as possible.

The web skimming campaign hit online stores using the Magento 1 e-commerce platform, which entered its end-of-life phase in June 2019 - and was no longer supported with updates 12 months on.

Alarmingly, more than 95,000 sites still use Magento 1, according to the company, with customers advised to upgrade to the up-to-date Magento 2 e-commerce platform instead.

Many of the victimised stores have no history of security incidents, suggesting a new attack method was used to gain server access to all targeted platforms. Although Sansec is still investigating the method of infiltration, the firm suggests the attack may be related with a recent Magento 1 zero-day exploit that was put up for sale a few weeks ago.

The remote code execution (RCE) exploitation method, which included an instruction video, was purportedly put up for sale for $5,000. The alleged exploit would be far more potent now than ever given that Magento 1 is end-of-life, and its developer, Adobe, won’t be providing official patches to fix the bug.

A forensic investigation of this particular attack on two compromised servers showed that hackers used these systems to interact with the Magento admin panel, and used the Magento Connect feature to download and install various files, including malware. The malware file was automatically deleted after the malicious code was injected.

There is a complete list of compromised sites, but Sansec has only made this available to law enforcement.

Magecart has been very active over the previous few years, having gained notoriety for compromising online e-commerce platforms in order to skim customer payment information.

Another incident saw Magecart hackers automate a process for compromising exposed domains hosted on misconfigured Amazon S3 buckets in July last year. The incident saw 17,000 domains targeted, with Magecart attempting to run scripts on sites to glean and steal payment information that can be sold on for profit.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.