Nearly 2000 Magento 1 stores around the globe have been hacked in the largest ever Magecart attack since 2015. The hackers could interrupt the payment information of the store customers by injecting malicious code. According to the Sansec research report, almost 2000 Magento stores’ security has been compromised with the Magecart attack. The highlights of this hack are:
- 1904 distinct Magento stores with a unique keylogger on the checkout page.
- 10 stores attacked on Friday
- 1058 stores attacked on Saturday
- 603 stores attacked on Sunday
- 233 stores attacked on Monday
Largest-Ever Magecart Campaign resulting in 2000 Magento stores hacked!
This automated campaign resulted in compromising approximately 10,000 customers’ sensitive data. The hackers breached the Magento 1 stores and injected malicious code to access the payment card details from the checkout form entered by the customers. The attack uses the “Magento Connect” section, now, marketplace, of Magento, also known as the downloader, to inject JavaScript code into the store that loads malware. Magento Connect is the page where you could install extensions in the store. Willem de Groot, founder of Sanguine Security (SanSec) identifies this campaign as the largest ever hack since 2015. The research also says that this campaign may be related to a recent Magento 1 0day (exploit) that was put up for sale a few weeks ago on a hacking forum. A user identified as “z3r0day” announced selling a Magento 1 “remote code execution” exploit method with an instruction video priced at $5,000. He also stated that no admin rights are necessary to inject this code in the JS file!Is your Magento 1 store security breached?
Check if there has been an attack by searching the server log files for access to the download directory. It would look like this:/downloader/index.php?A=connectInstallPackageUpload&maintenance=1&archive_type=0&backup_name=
However, if you have blocked access to the downloader directory in your store or this directory does not exist in your store at all, your store is safe.
In several of the hacked stores a mysql.php file was found in the root directory. Also, search for the files that are not part of the Magento installation and remove them.
Do inform your recent customers about this security breach so that they could take the caution to change their passwords and prevent any loss.
What can Magento 1 store owners do to avoid such security attacks?
- Open the
.htaccess
file that is located in the root folder of your Magento installation.Add the following line at the beginningRedirectMatch 404 ^/downloader/.*$
Remove the complete directory
"downloader"
, which is located in your root directory. Or simply rename it.