About 500 e-commerce websites were recently found to have been compromised by hackers who installed a credit card skimmer that secretly steals sensitive data when visitors try to make a purchase.
A report published Tuesday is just the latest involving Magecart, a generic term given to competing criminal groups that infect e-commerce sites with skimmers. Over the past few years, thousands of sites have been affected by exploits that cause them to execute malicious code. When visitors enter payment card details during a purchase, the code sends that information to servers controlled by an attacker.
Sansec, the security firm that discovered the latest batch of infections, said the compromised sites all loaded malicious scripts hosted on the naturalfreshmall domain[.]com.
“Natural Fresh skimmer displays fake payment popup, breaching security of (PCI compliant) hosted payment form,” company researchers wrote on Twitter. “Payments are sent to https://naturalfreshmall[.]com/payment/Payment.php.”
The hackers then modified existing files or placed new files that provided no fewer than 19 backdoors that the hackers could use to maintain control of the sites in case the malicious script was discovered and removed and the vulnerable software was updated. The only way to fully sanitize a site is to identify and remove backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.
Sansec is working with administrators of hacked sites to determine the common entry point used by attackers. The researchers eventually determined that the attackers combined an SQL injection exploit with a PHP object injection attack in a Magento plugin known as Quickview. The exploits allowed attackers to execute malicious code directly on the web server.
They achieved this code execution by abusing Quickview to add a validation rule to the customer_eav_attribute table and injecting a payload that tricked the host application into creating a malicious object. They then registered as a new user on the site.
“However, simply adding to the database will not execute the code,” the Sansec researchers explained. “Magento actually needs to deserialize the data. And this is the trick of this attack: by using the validation rules for new customers, the attacker can trigger deserialization by simply viewing the Magento registration page.
It’s not hard to find sites that remain infected more than a week after Sansec first reported the campaign on Twitter. At the time this post was published, Bedexpress[.]com continued to contain this HTML attribute that downloads JavaScript from the naturalfreshmall scam[.]com domain.
The hacked sites ran Magento 1, a version of the e-commerce platform that was retired in June 2020. The safer bet for any site still using this outdated package is to upgrade to the latest version of Adobe Commerce. Another option is to install open source patches available for Magento 1 using DIY software from the OpenMage project or with commercial support from Mage-One.
In general, it is difficult for people to detect payment card skimmers without special training. One option is to use anti-virus software such as Malwarebytes, which checks in real-time the JavaScript being served on a visited website. People may also want to avoid sites that appear to be using outdated software, although this is hardly a guarantee that the site is safe.
This story originally appeared on Ars Technica.
More great stories on WIRED
