Largest-Ever Magecart Campaign – 2000 Magento Stores Hacked

Nearly 2000 Magento 1 stores around the globe have been hacked in the largest ever Magecart attack since 2015. The hackers could interrupt the payment information of the store customers by injecting malicious code. According to the Sansec research report, almost 2000 Magento stores’ security has been compromised with the Magecart attack. The highlights of this hack are:

• 1904 distinct Magento stores with a unique keylogger on the checkout page.
• 10 stores attacked on Friday
• 1058 stores attacked on Saturday
• 603 stores attacked on Sunday
• 233 stores attacked on Monday

All these stores are identified to be run on the Magento 1 version, the support for which has already been stopped since June 30, 2020, by Adobe. The company no longer offers security patches, though there are the third party like MageOne that offers security patches, giving merchants the time required for the Magento 2 migration.

Largest-Ever Magecart Campaign resulting in 2000 Magento stores hacked!

This automated campaign resulted in compromising approximately 10,000 customers’ sensitive data. The hackers breached the Magento 1 stores and injected malicious code to access the payment card details from the checkout form entered by the customers. The attack uses the “Magento Connect” section, now, marketplace, of Magento, also known as the downloader, to inject JavaScript code into the store that loads malware. Magento Connect is the page where you could install extensions in the store. Willem de Groot, founder of Sanguine Security (SanSec) identifies this campaign as the largest ever hack since 2015. The research also says that this campaign may be related to a recent Magento 1 0day (exploit) that was put up for sale a few weeks ago on a hacking forum. A user identified as “z3r0day” announced selling a Magento 1 “remote code execution” exploit method with an instruction video priced at $5,000. He also stated that no admin rights are necessary to inject this code in the JS file!

Is your Magento 1 store security breached?

Check if there has been an attack by searching the server log files for access to the download directory. It would look like this: /downloader/index.php?A=connectInstallPackageUpload&maintenance=1&archive_type=0&backup_name= However, if you have blocked access to the downloader directory in your store or this directory does not exist in your store at all, your store is safe. In several of the hacked stores a mysql.php file was found in the root directory. Also, search for the files that are not part of the Magento installation and remove them. Do inform your recent customers about this security breach so that they could take the caution to change their passwords and prevent any loss.

What can Magento 1 store owners do to avoid such security attacks?

1. Open the .htaccess file that is located in the root folder of your Magento installation.Add the following line at the beginning RedirectMatch 404 ^/downloader/.*$
2. Remove the complete directory "downloader" , which is located in your root directory. Or simply rename it.

To prevent such attacks, you can prevent the access to downloader folder from all IPs except yours. But that’s only prevention, not a guaranteed solution! The ultimate solution is to select the best Magento 2 migration agency and migrate your store to Magento 2. It is recommended to hire certified Magento developers for this task as the store’s security and data is concerned. Avoid any common Magento migration mistakes and let the experts handle this task while you can focus on new business strategy and how to make the most out of the latest Magento 2 version! However, for time being, while you are planning the migration process, there’s an option to secure your Magento 1 stores. Cozmot has partnered with Mage One where our customers can avail the sustainable bug bounty program under which get access to the security patches for the store. Earlier, payments processors like Visa and PayPal did request the merchants to migrate to Magento 2 as with the end of life for Magento 1, such security hacks were foreseen. Better now than never, get the developers to the task and offer a secure shopping platform to the customers! Security cannot be overlooked as it goes hands in hands with customer experience. And if you fail in it, you are out of business soon. Therefore, stay secure, stay safe! (Pun intended 😉) Do share the post far and wide via social media and alert the Magento 1 store owners! Thank you.]]>