'Largest ever' Magecart hack compromises 2,000 online stores

The personal details of tens of thousands of customers were stolen from just one compromised Magento-powered site

Magecart hackers attacked 1,904 individual online stores supported with the out-of-date Magento 1 platform this weekend in an automated campaign said to be the largest spree that researchers have detected.

The cyber gang, which conventionally targets online e-commerce platforms to steal customer payment card information, infected ten stores on Friday 11 September, 1,058 sites on Saturday, 603 on Sunday and 233 on Monday, according to Sansec.

To illustrate the scale of the devastation caused, tens of thousands of customers have had their private information stolen from just one of the compromised stores, suggesting many more have been affected when looking at the bigger picture.

Sansec researchers claim this represents the largest single Magecart campaign ever recorded since the cyber security firm began monitoring in 2015. The previous record was 962 hacked stores in a single day in July 2019. Magecart was also the group that targeted British Airways, Ticketmaster and Newegg as part of a series of crippling hacks in 2018.

“The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming,” the Sansec threat research team said. “Criminals have been increasingly automating their hacking operations to run web skimming schemes on as many stores as possible.

The web skimming campaign hit online stores using the Magento 1 e-commerce platform, which entered its end-of-life phase in June 2019 - and was no longer supported with updates 12 months on. 

Alarmingly, more than 95,000 sites still use Magento 1, according to the company, with customers advised to upgrade to the up-to-date Magento 2 e-commerce platform instead.

Many of the victimised stores have no history of security incidents, suggesting a new attack method was used to gain server access to all targeted platforms. Although Sansec is still investigating the method of infiltration, the firm suggests the attack may be related with a recent Magento 1 zero-day exploit that was put up for sale a few weeks ago.

The remote code execution (RCE) exploitation method, which included an instruction video, was purportedly put up for sale for $5,000. The alleged exploit would be far more potent now than ever given that Magento 1 is end-of-life, and its developer, Adobe, won’t be providing official patches to fix the bug. 

A forensic investigation of this particular attack on two compromised servers showed that hackers used these systems to interact with the Magento admin panel, and used the Magento Connect feature to download and install various files, including malware. The malware file was automatically deleted after the malicious code was injected.

There is a complete list of compromised sites, but Sansec has only made this available to law enforcement. 

Magecart has been very active over the previous few years, having gained notoriety for compromising online e-commerce platforms in order to skim customer payment information. 

Another incident saw Magecart hackers automate a process for compromising exposed domains hosted on misconfigured Amazon S3 buckets in July last year. The incident saw 17,000 domains targeted, with Magecart attempting to run scripts on sites to glean and steal payment information that can be sold on for profit.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Most Popular

Best paying tech jobs of 2021
Careers & training

Best paying tech jobs of 2021

7 Jun 2021
OnePlus 9 Pro review: An instant cult classic
Hardware

OnePlus 9 Pro review: An instant cult classic

7 Jun 2021
Mythic launches power-sipping AI chip
Hardware

Mythic launches power-sipping AI chip

8 Jun 2021