Zombie money machines: Thousands of e-commerce websites infected with “MagentoCore” malware that skims payment details
Monday, September 3, 2018/
An analysis of e-commerce stores around the world has revealed thousands of them are unwittingly running a dangerous payment skimming malware stealing thousands from users, with 50 new stores being infected each day.
The infection was uncovered by prominent Dutch security blogger and researcher Willem de Groot, who dubbed the malware ‘MagentoCore’, due to it infecting the popular e-commerce software Magento.
On his blog, de Groot said the skimmer had been placed on 7,339 online stores in the last six months, turning them into “zombie money machines to the benefit of their illustrious masters”. The blogger labelled the skimmer as the “most successful to date”.
“The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit. But the real victims are eventually the customers, who have their card and identity stolen,” de Groot said.
De Groot says the malware often infects the website through a classic brute-force attack, which continuously tries to guess the password used by the website’s Magento admin panel over and over, sometimes for months. Once access is gained, the software injects a crafty piece of code into the website’s HTML.
An infected website will then record all keystrokes from customers on the website and beam them back to the hacker’s main server, capturing things such as usernames, passwords, credit card information, and personal details.
However, the malware also implements a recovery mechanism, which deletes the code after it has run, before redownloading it to run again later.
An analysis of 220,000 sites running currently by de Groot showed 4.2% of them were leaking customer data.
ITNews reports that, according to site source code search engine PublicWWW, there are just over 100 websites with the .au domain currently infected with the malware, however the real number could be higher as not all local e-commerce websites use .au domains.
4.2% of all Magento stores globally are currently leaking payment and customer data pic.twitter.com/Utw9W3t3Oa
— Willem de Groot (@gwillem) August 27, 2018
Strong passwords and regular patching needed
Speaking to SmartCompany, founder of IT services firm Combo David Markus said these sorts of malware attacks can often stem from business owners not keeping their websites and software up-to-date, as well as general poor practices when it comes to password security.
Markus recalls a time where he had fallen behind in keeping his company’s website up-to-date, which led to some hackers infiltrating the site and changing some of its text. While not anywhere near as serious as payment-skimming malware, Markus said it taught him a lesson.
“If you don’t keep paying attention to your website, someone else will,” he says.
“It’s quite prevalent, and anyone in the business of e-commerce has a responsibility to manage your payment gateway software and any other software you use.”
Markus encourages businesses to keep a stringent patch schedule of at least once a week, but he says that should increase if businesses are operating active online environments such as e-commerce stores.
On his blog, de Groot advises any business that finds itself infected to follow some key steps, including finding how the malware got into the system in the first place and closing all points of access immediately.
“Analyse backend access logs, correlate with staff IPs and typical working hours. If suspicious activity is recorded from staff IPs, it could be that a staff computer is infected with malware, or that the attacker has hijacked an authorised session,” de Groot said.
Once that’s done, he advises restoring the website to an earlier trusted code version and then implement secure procedures that cover “timely patching [and] strong staff passwords”.