Magento Sites Attacked by Hackers to Deliver Malware

Virus malware

Security researchers at Flashpoint say hackers have attacked over 1,000 Magento websites and planted malware to retrieve credit card details.

E-commerce websites are often targeted by hackers because of the huge number of transactions happening in their platforms.

In the most recent hacking incident, security analysts have confirmed that a group of hackers has targeted the open-source platform Magento, which is used by thousands of websites around the globe.

The analysts confirmed that the hackers are using brute-force attack/ techniques to crack the passwords used to protect these e-commerce websites and gain access to the credit card information stored within.

The idea is to force their way into the admin panels so that they can instantly download all the financial information stored in the system, but the attack doesn’t stop there as they also inserted malware into the servers to mine cryptocurrency.

Over 1,000 Websites Affected

The information was revealed by a group of researchers at the security firm Flashpoint.

The team confirmed that at least 1,000 Magento websites have been hacked and infected by the cryptocurrency malware.

Hackers have always shown a keen interest in open source e-commerce platforms as they often deal with large amounts of cash flowing through a big user database.

Magento is one of the widely hacked platforms in this attack, followed by other popular platforms like OpenCart and Powerfront CMS.

The hacked information was spotted being sold on the dark web since 2016 and has continued to do so every time they successfully hack into multiple admin panels at once.

How Did the Attack Happen?

Text malware on background with binary encoding in red. Concept of invasion of privacy, hacker attack, computer attack by virus, ransomware, malware or spyware.

E-commerce websites are often targeted by hackers because of the huge number of transactions happening in their platforms.

The security researchers explained in detail how the attack was carried out.

According to reports, the brute-force attack was carried out by using default credentials used in the e-commerce platform after installation. The idea behind this type of attack is largely based on the carelessness of administrators who fail to change the default credentials after installing the program.

The attackers used a series of automated scripts to check into every website that uses the platform and login using default credentials.

Once they managed to gain access to the CMS admin panel, they would have complete access to the website and could choose to install any script which would allow them to gain access at a later point.

The attackers, in this case, decided to download all the payment information available on the targeted website. They injected malware into the Magento code, which directly retrieved the credit card information stored on the payment page.

The malware intercepted all requests made by the website to the server to retrieve sensitive information and redirect them to the hackers.

After gaining access to the website, the hackers used a credit card sniffer to acquire confidential data.

They also used the hacked credentials to insert cryptomining scripts and redirect some of the links to social engineering campaigns.

With so many websites getting affected by this attack, the hackers seem to have made lots of money using the servers to do a variety of tasks as they required.

Multiple Industries Affected by Malware Attack

The security team at Flashpoint didn’t stop at identifying the attack, but they also spent a considerable amount of time and invested their resources to help the victims. In their research, they confirmed that over 1,000 admin panels were compromised.

Most of the Magento websites were from the healthcare industry and the education sector. They released a map indicating the regions in which the websites got hacked.

These companies are primarily located in the U.S. and Europe, while some are found in Southeast Asia.

Mining Cryptocurrency Using Malware

The hackers managed to compromise the security level found on the installation system and ran their own scripts to gain access to sensitive information.

According to security experts, they didn’t stop there as they installed automated scripts which allowed them to use the servers and other resources to mine cryptocurrency.

One of the confirmed malware programs is referred to as the Rarog cryptocurrency miner, which is known amongst the cybersecurity research community.

Step-by-Step Guide to Secure Your Website

While Flashpoint has done their best to confirm the list of websites that were hacked and identified them using a heat map, it is good to follow some security measures to safeguard your online store.

Irrespective of whether hacking attempts on your website were successful or not, follow the procedure below to safeguard yourself against a malware intrusion.

  1. Open your admin panel and strictly implement organizational password complexity requirements.
  2. Ensure that the admin panel can only be accessed by a select group of people.
  3. Change all your passwords and make sure users don’t reuse old passwords as they could be compromised.
  4. Make sure to enable two-factor authentication for all types of services including applications, logins, databases and remote access apps.
  5. Introduce your users to secure password managers so that they can generate highly complex passwords and save them for future use.

Safeguarding Yourself Against Malware Attacks

The experts who worked in the investigation confirmed that a major part of this malware attack took place because administrators failed to ensure if proper security mechanisms were in place as they should have.

By following basic security measures and using password managers, most administrators could safeguard themselves against such attacks from happening in the future.

This is not the first time hackers have exploited such a simple weakness. It has happened previously in 2016 with the Mirai botnet attacks and is now spotted again on the Magento e-commerce platform.

Considering the popularity of the platform, it is expected that the developers will roll out security patches to fix it from happening, but it is also up to the users to take steps to avoid such intrusions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.