Unpatched Magento Stores hacked to mine Monero and steal card details

More than 1000 Magento sites hacked to leak credit card details and infect visitors' PCs with malware

An open-source e-commerce platform became a target for hackers, Flashpoint reported.^[1] The platform written in PHP^[2] with increasing popularity among e-commerce websites since 2008 came under the spotlight of hackers in 2016. Cybersecurity experts reported early this week that cybercriminals eventually managed to crack the platform down and infect approximately 1,000 Magento platform based stores located in UE and US.

Hackers managed to gain control over Magento administration panels (CSM) Using brute-force attack. Crooks exploited an automated software and generated a large number of consecutive guesses to enter Magento panels. Upon successful infiltration, multiple malicious script codes were injected into Magento core files thus gaining access to credit card details and installing crypto-currency miners.^[3]

Admins are to blame for the success of brute-force attacks

Magento stores' hack might not take place if admins would have changed the credentials, Flashpoint researchers claim:

Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.

The hack can be easily initiated when the admins rely on conventional and publicly known Magento credentials. Thus, running an automated software that initiates multiple guesses allows the hacker to access the platform without authorization.

Magento hack could have easily be prevented by a change of credentials initiated immediately after the installation of the platform.

The attack has been initiated in phases

Flashpoint indicated three stages being commenced once the attacker gained access to the platform:

1. Execution of malicious code in Magento core files;
2. Deployment of crypto hijacking scripts;
3. Corruption of Magento stores.

These are the phases that hackers initiated in tandem. First of all, they injected malicious scripts, known as AZORult card scraper, into Magento CSM panel's core files, thus gaining access to payment card information and check out processes.
Upon success, AZORult^[4] runs another malicious script, which attacked Magento stores' visitors with Rarog^[5] Monero cryptocurrency miner.

The ultimate move carried out by crooks was to corrupt Magento sites, so that they initiate web browser's redirects to fake websites. According to researchers, these sites contain a fake Adobe Flash Player update infected with malicious JavaScript.

Criminals gathered information from Deep & Dark Web forums

Experts say that an increased interest in Magento platform has been spotted in 2016 when multiple threads appeared on Deep & Dark Web forums.

The same data collection strategy on Deep & Dark Web has been noticed towards Powerfront CMS and OpenCart platforms. Thus, experts from multiple sources shared a warning about possible hacks similar to Magento.

Admins are urged to pay attention to the credentials of their platforms.^[6] Owners of online stores should prioritize account password's security and install all security updates asap.That's because of not only the owner experiences damage and losses but the customers as well.