Magecart cybercrime gang switches tactic, it is now targeting vulnerable Magento extensions. instead of compromising large websites or third-party services to steal credit card data.
In previous campaigns, attackers customize the attack for each victim tailoring the code for each target site according to the information gathered through an initial reconnaissance phase. The avoid the detection, Magecart hackers injected only into specific pages.
The new attack was detailed by the researcher Willem de Groot, the hackers are now exploiting zero-day vulnerabilities in popular store extension software in order to inject skimmer scripts.
“Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turns out, thieves are massively exploiting unpublished security flaws (aka 0days) in popular store extension software.” continues the expert.
“While the extensions differ, the attack method is the same: PHP Object Injection (POI).
According to de Groot, many popular PHP applications continue to use unserialize(), but while Magento has replaced most of the vulnerable functions, many of its extensions are still flawed.
“This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site.” continues the researcher.
The attackers have analyzed a large number of extensions and discovered numerous POI vulnerabilities, then they are scanning the Internet for Magento installs using these extensions.
“Once a user enters his CC details and clicks submit, the fake credit card form disappears and the unsuspecting (?) user will likely try again. The fake form will not show a second time, because a cookie is set to prevent that.”
Further details are included in the analysis published by the researcher.
(Security Affairs – Magecart, cybercrime)