E-Commerce Sites Compromised with Crypto-Miner Malware

Hackers have used brute-force attacks to gain access to hundreds of e-commerce sites and install malware that scrapes credit card details and installs cryptocurrency mining software. Researchers at threat intelligence company Flashpoint revealed in a blog post that they were aware of the compromise of at least 1000 sites, mainly in the Education and Healthcare industries. Attacks were largely centered on the U.S. and Europe.

The attackers targeted the popular open-source Magento platform used to run the sites, infiltrating admin panels which were poorly set up using common/known default credentials. While the fault lies with careless admins who failed to set up secure credentials on their newly installed platforms, Flashpoint also noted that the attackers “have demonstrated continued interest in other popular ecommerce-processing content management systems such as Powerfront CMS and OpenCart.”

Says Flashpoint’s analysts:

“Once the attacker has control of the site’s Magento content management system (CMS) admin panel, they have unfettered access to the site and the ability to add any script they choose. In this case, the attackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.”

Flashpoint noted that the attackers updated their malicious files “daily” in order to avoid signature-based and behavior-based detection.

Successfully compromised sites returned an exploit when visited in the form of a fake Flash Player update. If the user is fooled by the update and elects to launch it, the exploit runs malicious JavaScript that downloads malware (such as the AZORult data-stealer malware) from servers on GitHub that are controlled by the attackers onto the user’s computer. A chain reaction is then started as that malware downloads more malware, in this instance (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Research and Intelligence Team. Read the original post at: Cylance Blog