About 500 e-commerce websites were recently found to be compromised by hackers who installed a credit card skimmer that surreptitiously stole sensitive data when visitors attempted to make a purchase.
A report published on Tuesday is only the latest one involving Magecart, an umbrella term given to competing crime groups that infect e-commerce sites with skimmers. Over the past few years, thousands of sites have been hit by exploits that cause them to run malicious code. When visitors enter payment card details during purchase, the code sends them to attacker-controlled servers.
Fraud courtesy of Naturalfreshmall[.]com
Sansec, the security firm that discovered the latest batch of infections, said the compromised sites were all loading malicious scripts hosted at the domain naturalfreshmall[.]com.
“The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form,” firm researchers wrote on Twitter. “Payments are sent to https://naturalfreshmall[.]com/payment/Payment.php.”
The hackers then modified existing files or planted new files that provided no fewer than 19 backdoors that the hackers could use to retain control over the sites in the event the malicious script was detected and removed and the vulnerable software was updated. The only way to fully disinfect the site is to identify and remove the backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.
Sansec worked with the admins of hacked sites to determine the common entry point used by the attackers. The researchers eventually determined that the attackers combined a SQL injection exploit with a PHP object injection attack in a Magento plugin known as Quickview. The exploits allowed the attackers to execute malicious code directly on the web server.
They accomplished this code execution by abusing Quickview to add a validation rule to the customer_eav_attribute table and injecting a payload that tricked the host application into crafting a malicious object. Then, they signed up as a new user on the site.
“However, just adding it to the database will not run the code,” Sansec researchers explained. “Magento actually needs to unserialize the data. And there is the cleverness of this attack: by using the validation rules for new customers, the attacker can trigger an unserialize by simply browsing the Magento sign up page.”
It’s not hard to find sites that remain infected more than a week after Sansec first reported the campaign on Twitter. At the time this post was going live, Bedexpress[.]com continued to contain this HTML attribute, which pulls JavaScript from the rogue naturalfreshmall[.]com domain.
The hacked sites were running Magento 1, a version of the e-commerce platform that was retired in June 2020. The safer bet for any site still using this deprecated package is to upgrade to the latest version of Adobe Commerce. Another option is to install open source patches available for Magento 1 using either DIY software from the OpenMage project or with commercial support from Mage-One.
It’s generally hard for people to detect payment card skimmers without special training. One option is to use antivirus software such as Malwarebytes, which examines in real time the JavaScript being served on a visited website. People also may want to steer clear of sites that appear to be using outdated software, although that’s hardly a guarantee that the site is safe.
