MagentoCore Malware Infected More than 7000 Magento Websites
On August 30, Willem de Groot—Co-Founder and former Head of Security at Byte.nl, a web host in the Netherlands with more than 6,500 domains—published a blogpost at GitLab that showed 4.2% of all Magento stores globally are currently leaking payment and customer data. After scanning more than 220,000 online stores running on Magento open-source platform, he found a highly prolific payment card skimming malware called MagentoCore that has managed to hijack 7339 individual stores in the last 6 months. Among these sites, at least 1450 stores have been infected for the full past 6 months since the massive hacking campaign started.
The Dutch security expert also revealed that the malware has planted skimmers on Magento sites at a pace of 50-60 stores a day for the last 2 weeks before his post. While online skimmers have been around for a few years, De Groot referred MagentoCore.net as the most successful payment card skimming campaign to date.
“The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit. But the real victims are eventually the customers, who have their card and identity stolen.” he added.
How MagentoCore Malware works and what can be done
To secure your Magento store, a thorough understanding of how the dangerous malware works is critical. On his blogpost, De Groot has explained how it get into operation and the key steps to follow when your store was found hosted the MagentoCore.net parasite:
The malware often uses brute force techniques to hack into the control panel of an e-commerce site. Once access is granted, the skimmers can modify the source code to load a malicious script on the check out pages. By recording all keystrokes from the customers on the website, it manages to record data including usernames, passwords, personal detail and credit card information to send everything in real time to the skimmers’ “magentocore.net” server. In addition, the malware inserts a backdoor into the system that allows for periodically download malicious code and erase all traces after running. It’s also strong enough to remove any competing malware from the site and change the password of several staff user names.
To recover your Magento site from MagentoCore malware, first you need to detect the entry point in which the hackers gain access and close them at once. Then find and remove the skimmer, backdoors and any unauthorized changes to the code. Finally, make sure secure procedures are implemented to cover patching and password protection. You can find detailed guidelines to these steps in Willem de Groot’s post.
In the Sep. 04 interview with SC Media, Magento’ spokeperson stated that around 5,000 Magento Open Source users were found affected by brute force attacks, in which MagentoCore malware planted skimmers on sites: “One of the most common ways a site can be compromised is by brute force attacks, which work by exploiting common or default passwords.”
We have previously discussed on how to prevent Brute Force Attack on Magento 2 websites. If your online store is based on Magento 2 system, be sure to follow our guide to secure your site from MagentoCore malware or any other malicious activities in the future.