Over the past couple of days a large number of Magento 1 websites (and smaller numbers of Magento 2, OpenMage, ASP.net and PHP sites) have been observed as being infected with a previously unknown card data skimmer. This has been one of the largest campaigns in recent times, we have identified more than 4,400 infected websites (and counting). The malware uses a key logging approach to extract card data from the websites’ checkout pages and sends that data back to an infrastructure under the control of the attacker.
How are eCommerce websites getting infected?
When on the checkout page, the full malware is loaded from a domain which appears to be posing as a Content Delivery Network (CDN) for the service ManyChat. Based on the domain registration records (the domain was registered on September 10th 2020) it appears that the domain used in the attack is in fact not affiliated with ManyChat, but meant as a red herring to make the domain seem less suspicious.
Where are the attacks coming from?
Foregenix became aware of a similar domain (mcdnn[.]me) being used to host malware in late June 2020. Similarly to the domain used in this attack (mcdnn[.]net), it is registered with a Russian registrar and points to a server in the same subnet (83.166.245.X) which is also hosted in Russia. It appears that the attackers switched to a new Top Level Domain (TLD) in this attack to avoid detections they had triggered previously.
There are reports of the attackers making minor modifications to infected sites once they have a foothold, which may prevent others from exploiting the same vulnerability. It is thought that the exploit being used may have come from a Russian hacking forum where a user is advertising an exploit that matches the fingerprint of these attacks. In their posting they have stated they will sell this exploit to a maximum of 10 people, although from what we have seen so far that potential limitation may have no significance to the number of impacted sites whatsoever.
What is Foregenix doing to help their customers?
Here, at Foregenix, we’re actively assessing the situation and gathering intelligence on the prevalence and nature of the attack. We’ve updated our systems to detect the presence of this malware variant on any of our clients websites and implemented a number of additional firewall rules based on the access patterns observed on sites that have been breached.
There are two IP addresses which are associated with the first wave of attacks and we did observe activity from these addresses attempting to access client websites. These IP addresses have been blocked by the WAF and were also unsuccessful in running their exploit against our clients. This is a positive indicator that the rules in place are sufficient to protect clients from this attack.
We’re pleased to say that none of our FGX-Web customers have been impacted by this malware.
I’m not a customer - how can you help me?
Part of the attack seems to require knowledge of the location of the Magento Admin panel. We recommend that clients limit access to their admin panel as much as possible, preferably based on restricted IP source address. Also, where possible, the admin panel should be set to run under a custom location which is as obscure as possible.
Another suggestion is to remove the /downloader/ directory from the website. If Magento Connect is absolutely essential, we recommend moving the directory elsewhere and only putting it back when needed.
Furthermore, we’re offering 3 months of FGX-Web Alert for free, so we can help you clean up your website. This is a no obligation offer and you can cancel at any time.
Please email firstname.lastname@example.org or use the chat feature on our website, and one of our team members will help you set up FGX-Web in less than 5 minutes. Get your website secure and peace of mind. We’re here to help.
----Update 17 September 2020----
It is essential that any website using a caching or CDN service for their website clear the caches associated with their account after removing the malware. If this is not done it could be many hours or even days before website visitors stop being served the infected files cached by these services.
This also applies to the use of internal caching services such as Varnish which may also need their caches purged following removal of the malware.
----Update 6 October 2020----
We've continued to monitor the situation across our Magento dataset - the good news is that there has been a solid industry response to the breach, which has reduced the number of breached sites in this attack to just over 3,000 sites.
At this point, those 3,000 sites have had more than 3 weeks of payment data stolen and the liabilities will be building for them.
Help is available - for free - at FGX-Web Alert for free for 3 months.