Thousands of Magento Sites Infected with Card Skimming Code

Over the past six months, a group of hackers has managed to break into more than 7,000 Magento-based online shops and infected them with malicious code that steals payment card information from customers.

According to security consultant Willem de Groot, who has been tracking the hacks, the malicious JavaScript code injected into websites captures and sends users’ keystrokes in real-time to a domain called, registered in Moscow.

“The group has turned 7,339 individual stores into zombie money machines, to the benefit of their illustrious masters,” de Groot said in a blog post. “The average recovery time is a few weeks, but at least 1,450 stores have hosted the parasite during the full past 6 months.”

According to the researcher’s own scans, the group has managed to compromise an average of 50 to 60 new stores per day over the past two weeks and primarily uses brute-force password guessing attacks that can sometimes go on for months.

Administrative accounts with weak or reused passwords that have been compromised in other breaches are a particularly big security risk for websites. In fact, once the MagentoCore malware is installed on a website it will periodically change the passwords for a number of predefined admin usernames to a hardcoded value. This will allow hackers to break in again if the malware gets cleaned, but admin passwords haven’t been reset.

The malware also has another recovery mechanism in the form of a backdoor installed in the site’s cron.php, a scheduled task mechanism. This backdoor redownloads and executes an infection script periodically and, as part of the infection chain, MagentoCore searches for and removes other malicious code from competing cybercriminal groups.

Administrators can check if their sites have been infected with MagentoCore by using the open source Magento Malware Scanner that was developed by de Groot and is also recommended by the Magento security team.

According to the researcher, if an infection is found, admins should determine how attackers gained unauthorized access in the first place by analyzing backend access logs and correlating them with the IP addresses and working hours of the site’s staff. Once the infection vectors have been identified, they should all be closed at the same time.

The site should then be cleaned, preferably by restoring it from a clean copy, and basic security policies such as regular patching and strong password requirements should be implemented.

MagentoCore’s victim list “contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit,” de Groot said. “But the real victims are eventually the customers, who have their card and identity stolen.”

Cryptominers Among Top 3 Malware Types Downloaded by Botnets

Cryptominers have overtaken ransomware in terms of popularity among cybercriminal groups and are now the third most common type of malware downloaded by botnets.

Botnets are built to be very versatile because their creators use them to offer paid services to other cybercriminals. In addition to sending spam emails and launching DDoS attacks, botnets often are used to infect computers with additional malware programs as part of pay-per-install schemes.

Over the past year, researchers from Kaspersky Lab have tracked file download commands received by around 150 botnet families from 60,000 command-and-control centers and determined that botnets downloaded more than 30,000 unique malicious files.

The researchers cataloged those files by malware type and set out to observe differences in download trends between the last half of 2017 and the first half of this year. Among the most striking one was a spike in the distribution of cryptocurrency mining programs, which rose to 4.6 percent in H1 2018 from 2.9 percent in H2 2017.

Among the top three malware downloading botnets, cryptominers were the third-most downloaded type of malware after backdoors/RATs and Trojans. The backdoor Njrat was actually the most commonly downloaded unique piece of malware during H1 2018, rising from third place in H2 2017.

This is not unexpected, since Njrat comes in a variety of versions, is easy to obtain and can be easily set up, meaning it has a low entry threshold for cybercriminals.

“Backdoors consistently make up the bulk of downloads; that is, botnet operators are keen to gain maximum possible control over infected devices,” the Kaspersky researchers said in its report. Meanwhile, the share of miners in bot-distributed files is also increasing, “as cybercriminals have begun to view botnets as a tool for mining cryptocurrency.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

2 thoughts on “Thousands of Magento Sites Infected with Card Skimming Code

Comments are closed.