Notorious online credit card theft group Magecart has amassed a large number of previously unpublished security flaws in extensions to popular e-commerce platform Magento, and is using them to inject hidden credit card stealers on legitimate checkout pages.
That’s according to security consultant and malware hunter Willem de Groot, who has closely tracked the group – believed to be responsible for a wide range of attacks including the recent British Airways and Ticketmaster hacks.
Now he is calling for help to identity some of the vendors affected, based on extension URLs he has identified in the wild. (These include extensions to Magento that allow stores to manage discounts in bundles: with a 300,000-strong developer community, Magento offers plenty of customisations).
He told Computer Business Review: “These URLs are used by a hacker to find specific shop extensions, that are vulnerable to a specific attack. I want to inform all the affected vendors so they can release fixed versions, but I can’t identify all the vendors, just based on the URLs, so I’ve asked for help…”
— Willem de Groot (@gwillem) October 23, 2018
(Within hours infosec Twitter had come good and 13/20 were identified, with 4/20 confirmed fixed).
Magecart Attacks: The Modus Operandi
Here’s how the attacks work.
Willem de Groot said: “This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted.
In a detailed blog on the threat from Magecart attacks, he wrote: “While the extensions differ, the attack method is the same: PHP Object Injection (POI). This attack vector abuses PHP’s
He added: “[E-commerce platform] Magento replaced most of the vulnerable functions by
json_decode() in patch 8788, but many of its popular extensions did not.”
“It appears that attackers have amassed a large number of extensions and found numerous POI vulnerabilities. And they are now probing Magento stores in the wild for these extensions. I collected the following probes. If you are running any of them, you’d better disable them quickly and search your logs for unauthorized activity.”
For the list of probes, see here.