About 500 e-commerce websites were recently found to be compromised by hackers who installed a credit card skimmer that surreptitiously stole sensitive data when visitors attempted to make a purchase.
A report published on Tuesday is only the latest one involving Magecart, an umbrella term given to competing crime groups that infect e-commerce sites with skimmers. Over the past few years, thousands of sites have been hit by exploits that cause them to run malicious code. When visitors enter payment card details during purchase, the code sends them to attacker-controlled servers.
Fraud courtesy of Naturalfreshmall[.]com
Sansec, the security firm that discovered the latest batch of infections, said the compromised sites were all loading malicious scripts hosted at the domain naturalfreshmall[.]com.
“The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form,” firm researchers wrote on Twitter. “Payments are sent to https://naturalfreshmall[.]com/payment/Payment.php.”
The hackers then modified existing files or planted new files that provided no fewer than 19 backdoors that the hackers could use to retain control over the sites in the event the malicious script was detected and removed and the vulnerable software was updated. The only way to fully disinfect the site is to identify and remove the backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.
Sansec worked with the admins of hacked sites to determine the common entry point used by the attackers. The researchers eventually determined that the attackers combined a SQL injection exploit with a PHP object injection attack in a Magento plugin known as Quickview. The exploits allowed the attackers to execute malicious code directly on the web server.
They accomplished this code execution by abusing Quickview to add a validation rule to the
customer_eav_attribute table and injecting a payload that tricked the host application into crafting a malicious object. Then, they signed up as a new user on the site.
“However, just adding it to the database will not run the code,” Sansec researchers explained. “Magento actually needs to unserialize the data. And there is the cleverness of this attack: by using the validation rules for new customers, the attacker can trigger an unserialize by simply browsing the Magento sign up page.”
The hacked sites were running Magento 1, a version of the e-commerce platform that was retired in June 2020. The safer bet for any site still using this deprecated package is to upgrade to the latest version of Adobe Commerce. Another option is to install open source patches available for Magento 1 using either DIY software from the OpenMage project or with commercial support from Mage-One.