A large number of online stores using the Magento 1 e-commerce system were targeted by a web skimmer, according to Sansec, an eCommerce security consultancy.
The crawler detected roughly 374 infections in a single day, indicating an onslaught. The infection was downloaded from the domain naturalfreshmall[.]com, which is presently offline. The threat operators' purpose was to steal credit card information from consumers at the targeted online retailers.
An attacker often uses a security flaw in the Quickview plugin to insert rogue admin users into susceptible Magento stores as the initial intrusion vector. Under this scenario, however, the flaw was exploited to add a default value resulting in the database being updated with a file carrying a simple backdoor. By just surfing the Magento login page, the validation requirements for prospective consumers would be used to initiate the code execution.
By implementing a default value to the customer_ eav_attribute table, misuse is possible. The host app is tricked into creating a malicious entity, which is then utilized to generate a basic backdoor (api 1.php). As per Sansec, the intruders installed 19 backdoors on the hacked system, which means the affected sites must remove all of them to avoid being targeted in future attacks.
Although thousands of merchants continue to use it, the Magento 1 platform has hit End-of-Life, and Adobe no longer provides security upgrades for the same. As a result, the sites are accessible to a wide range of cyberattacks, putting the clients' sensitive information at risk. These details usually include credit card numbers, mailing addresses, names, phone numbers, and email addresses, as well as anything else required to complete an online order.
All Magento administrators should make sure it is running the most current edition of the platform and upgrade if it is on an older, unsupported version.