MagentoCore Payment Card Data Stealer Uncovered on 7,339 Magento-based Websites

September 03, 2018

Security researcher Willem de Groot uncovered a hacking campaign that has so far affected more than 7,339 websites running on the Magento e-commerce platform. The attacks involve injecting MagentoCore (detected by Trend Micro as JS_MAGENTOSKIMMER.A), a malicious payment card data-stealing script, into the affected websites.

What is MagentoCore, and how does it work?

de Groot noted that the hacking campaign entails hijacking the control panel of Magento websites, often through brute-force techniques (successively trying combinations of credentials). Upon successfully gaining access to the content management system (CMS), hackers modify the website by embedding MagentoCore in its webpages. MagentoCore is designed to record keystrokes that it sends to its command-and-control (C&C) server in real time. MagentoCore also searches for similar malware in the affected website and deletes them, and modifies the password of usernames in the website.

[RELATED NEWS: Magento-Based Websites Hacked to Steal Credit Card Data and Install Cryptocurrency-Mining Malware]

What has been MagentoCore’s impact so far?

Based on de Groot’s scans, around 50 to 60 new Magento stores are being compromised per day, and that the affected businesses include multinationals. A PublicWWW search also reveals that, as of this writing, there are 5,214 web pages containing MagentoCore. de Groot notes that MagentoCore affects  at least 4.2 percent of Magento-based websites worldwide.

Given MagentoCore’s capabilities, its adverse impact is not limited to information theft. MagentoCore, for instance, drops a backdoor to auto-update as well as retrieve and run malicious code, then cover its tracks by deleting itself.

[InfoSec Guide: The most prevalent web injection techniques hackers use to compromise websites]

Is MagentoCore related to other cybercriminal campaigns?

de Groot and other security researchers said that these attacks are part of a larger cybercriminal campaign operated by the MageCart group that has reportedly been active as far back as 2015. MagentoCore and its C&C server as well as the tactics used were linked to different groups working under MageCart. Last July, researchers traced the data breach of U.K.-based Ticketmaster to MageCart. The hackers hijacked the third-party components integrated into Ticketmaster’s websites and modified them with credit card-skimming code. de Groot said MageCart also targets the WooCommerce e-commerce plugin in Wordpress.

[INFOGRAPHIC: How DevOps and security teams can align with data protection by design and default]

How to defend against MagentoCore

MagentoCore exemplifies the significance of security by design: safeguarding the underlying infrastructures and components used to run websites or applications. This is especially true for businesses adopting DevOps, where the need to deploy software as fast as possible precedes security. While enriching user and customer experience helps bring in more business — and keeping the website, software, or application up and running — security shouldn’t be afterthought. For DevOps teams, this means security as code: baking security early into the development process to avoid unnecessary work, significantly reduce disruptions, and address gaps faster.

[READ: How Enterprises can Incorporate Security into the DevOps Pipeline]

For DevOps teams and website, IT, and system administrators, here are some best practices for defending against threats such as MagentoCore:

  • Secure all possible entry points: Regularly patch and disable or restrict the use of third-party plugins or other components that hackers can compromise to gain a foothold into the application or website. Employ defense in depth through security mechanisms such as authentication and encryption frameworks, which helps against brute-force attacks and mitigates the risks of exposed data.
  • Implement security hygiene: Update and strengthen credentials to deter brute-force attacks and similar techniques and regularly conduct tests on the websites to identify vulnerabilities or misconfigurations in the website or application. MagentoCore, for instance, can be embedded stealthily on webpage’s footer or header and set it in a way that’s seemingly hidden, which is why it’s important to have security capabilities that can automatically scan for these threats.
  • Keep an eye on the application or website beyond its deployment: Actively monitor them for red flags, such as unauthorized access or modification and anomalous network activities. For instance, many point-of-sale (PoS) malware or similar payment card-scraping threats employ techniques that allow it to stay hidden within a system, software, or script and only make its presence known through signs like outbound network traffic to a C&C server. It’s thus important to have visibility into a website or application’s infrastructure and proactively monitor them.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.