Foregenix
5 min read

Over the past couple of days a large number of Magento 1 websites (and smaller numbers of Magento 2, OpenMage, ASP.net and PHP sites) have been observed as being infected with a previously unknown card data skimmer. This has been one of the largest campaigns in recent times, we have identified more than 4,400 infected websites (and counting). The malware uses a key logging approach to extract card data from the websites’ checkout pages and sends that data back to an infrastructure under the control of the attacker.

How are eCommerce websites getting infected?

The vulnerability being exploited to infect these sites has not yet been determined, but is believed to be a novel exploit (0-day) in the Magento 1 platform leveraging the Magento Connect Downloader capability. The attackers use the exploit to upload a Webshell to the target website at which point they have full control over the sites’ source code and database. They use this capability to inject a small JavaScript loader into one of the site's JavaScript files; usually prototype.js. A common approach and common target as this file is loaded on all pages; however, the injected script will only load the full malware if the user is currently on the checkout page.

When on the checkout page, the full malware is loaded from a domain which appears to be posing as a Content Delivery Network (CDN) for the service ManyChat. Based on the domain registration records (the domain was registered on September 10th 2020) it appears that the domain used in the attack is in fact not affiliated with ManyChat, but meant as a red herring to make the domain seem less suspicious.

 

Where are the attacks coming from?

Foregenix became aware of a similar domain (mcdnn[.]me) being used to host malware in late June 2020. Similarly to the domain used in this attack (mcdnn[.]net), it is registered with a Russian registrar and points to a server in the same subnet (83.166.245.X) which is also hosted in Russia. It appears that the attackers switched to a new Top Level Domain (TLD) in this attack to avoid detections they had triggered previously.

There are reports of the attackers making minor modifications to infected sites once they have a foothold, which may prevent others from exploiting the same vulnerability. It is thought that the exploit being used may have come from a Russian hacking forum where a user is advertising an exploit that matches the fingerprint of these attacks. In their posting they have stated they will sell this exploit to a maximum of 10 people, although from what we have seen so far that potential limitation may have no significance to the number of impacted sites whatsoever.

 

What is Foregenix doing to help their customers?

Here, at Foregenix, we’re actively assessing the situation and gathering intelligence on the prevalence and nature of the attack. We’ve updated our systems to detect the presence of this malware variant on any of our clients websites and implemented a number of additional firewall rules based on the access patterns observed on sites that have been breached.

There are two IP addresses which are associated with the first wave of attacks and we did observe activity from these addresses attempting to access client websites. These IP addresses have been blocked by the WAF and were also unsuccessful in running their exploit against our clients. This is a positive indicator that the rules in place are sufficient to protect clients from this attack.

 

We’re pleased to say that none of our FGX-Web customers have been impacted by this malware.

 

I’m not a customer - how can a website scanner help me?

Part of the attack seems to require knowledge of the location of the Magento Admin panel. We recommend that clients limit access to their admin panel as much as possible, preferably based on restricted IP source address. Also, where possible, the admin panel should be set to run under a custom location which is as obscure as possible.

Another suggestion is to remove the /downloader/ directory from the website. If Magento Connect is absolutely essential, we recommend moving the directory elsewhere and only putting it back when needed.

Furthermore, our ThreatView Community edition is available for free to help you identify whether your business may have been caught up in this attack. It takes 2 mins to create an account and start monitoring your site - and its a free community resource with the latest threat detection capability available.

 

----Update 17 September 2020----


Over the last couple of days we've identified situations in which website visitors are being served malicious JavaScript files even after the website owner has removed the malware from their site.

This is happening because of the use of caching services such as Cloudflare, Fastly or Cloudfront which store static resources such as JavaScript files on their servers so that they can be served to clients more quickly.

It is essential that any website using a caching or CDN service for their website clear the caches associated with their account after removing the malware. If this is not done it could be many hours or even days before website visitors stop being served the infected files cached by these services.

This also applies to the use of internal caching services such as Varnish which may also need their caches purged following removal of the malware.

 

----Update 6 October 2020----

We've continued to monitor the situation across our Magento dataset - the good news is that there has been a solid industry response to the breach, which has reduced the number of breached sites in this attack to just over 3,000 sites.  

At this point, those 3,000 sites have had more than 3 weeks of payment data stolen and the liabilities will be building for them.  

Help is available - for free - at FGX-Web Alert for free for 3 months.

Subscribe to our Blog

Contact Us

Access cybersecurity advisory services

 

NOTES

SUBSCRIBE

Subscribe to our blog

Security never stops. Get the most up-to-date information by subscribing to the Foregenix blog.