Wednesday, November 27, 2024
HomeInfosec- ResourcesHackers Injected Credit Card Skimmers to 500 Stores Running With Magento

Hackers Injected Credit Card Skimmers to 500 Stores Running With Magento

Published on

On January 25, Sansec posted a tweet that nearly 300+ e-commerce stores were infected with malware. Sansec detected a massive data breach at 500 stores which were running on Magento 1. Magento is an open-source e-commerce platform provided by Adobe. 

All of the stores were affected with a payment skimmer which was loaded to them from naturalfreshmall.com. During the first investigation, Investigators found that the hackers used a clever combination of SQL Injection and PHP Object Injection attack to control the Magento stores.

POI Attack at Zend_Memory_Manager

Further investigations revealed that a known vulnerability in the Quickview plugin was used to abuse the systems which is usually used to inject rogue Magento admin users. But in this case, the attackers used this vulnerability to directly run code on the server. A clear explanation was given by Sansec on how this was possible. 

- Advertisement - SIEM as a Service

Initially, the attackers used the Quickview plugin vulnerability to add a validation rule to the customer_eav_attribute table

45.72.31.112 2022-01-28T15:11:59Z “GET /quickview/index/view/path/’);UPDATE%20customer_eav_attribute%20SET%20validate_rules=UNHEX(‘613a…d7d’)%20WHERE%20validate_rules=’a:2:%7Bs:15:%22max_text_length%22;i:255;s:15:%22min_text_length%22;i:1;%7D’; HTTP/1.1”

The PHP Object Injection is used for crafting a malicious object by the host application. In this attack, the Zend_Memory_Manager and Zend_CodeGenerator_Php_File are used for creating a file called api_1.php followed by a simple backdoor eval($_POST[‘z’]).

Sign Up Activates the Attack

For running the code, Magento need to unserialise the code. The attackers achieved this by using the validation rules set for new customers. By using the sign up page of Magento, the attacker unserialises the data which makes the code to run.

45.72.31.112    2022-01-28T15:12:02Z “GET /customer/account/create/ HTTP/1.1”

45.72.31.112    2022-01-28T15:12:08Z “GET /api_1.php HTTP/1.1”

The api_1.php which is controlled by the attacker is now able to run any PHP code.

During these attacks, the attacker left nearly 19 backdoors on the system which needs to be eliminated in order to prevent future attacks. Many files consisted of the malicious Magento code.

Sansec also posted a list of IP’s that were implicated during the attack

132.255.135.230 US 52485 networksdelmanana.com
132.255.135.51 US 52485 networksdelmanana.com
138.36.92.216 US 265645 HOSTINGFOREX S.A.
138.36.92.253 US 265645 HOSTINGFOREX S.A.
138.36.93.206 US 265645 HOSTINGFOREX S.A.
138.36.94.2 US 265645 HOSTINGFOREX S.A.
138.36.94.224 US 265645 HOSTINGFOREX S.A.
138.36.94.241 US 265645 HOSTINGFOREX S.A.
138.36.94.59 US 265645 HOSTINGFOREX S.A.
138.94.216.131 US 263744 Udasha S.A.
138.94.216.172 US 263744 Udasha S.A.
138.94.216.186 US 263744 Udasha S.A.
138.94.216.230 US 263744 Udasha S.A.
141.193.20.147 US 64249 ENDOFFICE
144.168.218.117 US 55286 SERVER-MANIA
144.168.218.136 US 55286 SERVER-MANIA
144.168.218.249 US 55286 SERVER-MANIA
144.168.218.70 US 55286 SERVER-MANIA
144.168.218.94 US 55286 SERVER-MANIA
144.168.221.92 US 55286 SERVER-MANIA
186.179.14.102 US 52393 Corporacion Dana S.A.
186.179.14.134 US 52393 Corporacion Dana S.A.
186.179.14.179 US 52393 Corporacion Dana S.A.
186.179.14.204 US 52393 Corporacion Dana S.A.
186.179.14.44 US 52393 Corporacion Dana S.A.
186.179.14.76 US 52393 Corporacion Dana S.A.
186.179.14.97 US 52393 Corporacion Dana S.A.
186.179.39.183 US 52393 Corporacion Dana S.A.
186.179.39.226 US 52393 Corporacion Dana S.A.
186.179.39.35 US 52393 Corporacion Dana S.A.
186.179.39.7 US 52393 Corporacion Dana S.A.
186.179.39.74 US 52393 Corporacion Dana S.A.
186.179.47.205 US 52393 Corporacion Dana S.A.
186.179.47.39 US 52393 Corporacion Dana S.A.
191.102.149.106 US 394474 WHITELABELCOLO393
191.102.149.197 US 394474 WHITELABELCOLO393
191.102.149.253 US 394474 WHITELABELCOLO393
191.102.163.202 US 394474 WHITELABELCOLO393
191.102.163.208 US 394474 WHITELABELCOLO393
191.102.163.7 US 394474 WHITELABELCOLO393
191.102.163.74 US 394474 WHITELABELCOLO393
191.102.170.173 US 394474 WHITELABELCOLO393
191.102.170.81 US 394474 WHITELABELCOLO393
191.102.174.128 US 394474 WHITELABELCOLO393
191.102.174.211 US 394474 WHITELABELCOLO393
191.102.174.239 US 394474 WHITELABELCOLO393
191.102.174.247 US 394474 WHITELABELCOLO393
191.102.174.52 US 394474 WHITELABELCOLO393
191.102.179.22 US 394474 WHITELABELCOLO393
191.102.179.31 US 394474 WHITELABELCOLO393
191.102.179.62 US 394474 WHITELABELCOLO393
192.198.123.164 US 55286 SERVER-MANIA
192.198.123.225 US 55286 SERVER-MANIA
192.198.123.226 US 55286 SERVER-MANIA
192.198.123.43 US 55286 SERVER-MANIA
192.241.67.128 US 55286 SERVER-MANIA
193.32.8.1 US 201814 Meverywhere sp. z o.o.
193.32.8.33 US 201814 Meverywhere sp. z o.o.
193.32.8.63 US 201814 Meverywhere sp. z o.o.
193.32.8.76 US 201814 Meverywhere sp. z o.o.
193.8.238.91 US 60781 LeaseWeb Netherlands B.V.
195.123.246.212 CZ 204957 ITL-Bulgaria Ltd.
198.245.77.132 US 55081 24SHELLS
198.245.77.217 US 55081 24SHELLS
198.245.77.253 US 55081 24SHELLS
206.127.242.99 US 201106 Spartan Host Ltd
209.127.104.174 US 55286 SERVER-MANIA
209.127.105.225 US 55286 SERVER-MANIA
209.127.105.73 US 55286 SERVER-MANIA
209.127.106.211 US 55286 SERVER-MANIA
209.127.106.44 US 55286 SERVER-MANIA
209.127.107.141 US 55286 SERVER-MANIA
209.127.107.169 US 55286 SERVER-MANIA
209.127.107.187 US 55286 SERVER-MANIA
209.127.109.138 US 55286 SERVER-MANIA
209.127.109.225 US 55286 SERVER-MANIA
209.127.109.87 US 55286 SERVER-MANIA
209.127.110.144 US 55286 SERVER-MANIA
209.127.110.177 US 55286 SERVER-MANIA
209.127.111.68 US 55286 SERVER-MANIA
209.127.111.99 US 55286 SERVER-MANIA
209.127.116.101 US 55286 SERVER-MANIA
209.127.116.167 US 55286 SERVER-MANIA
209.127.116.231 US 55286 SERVER-MANIA
209.127.117.214 US 55286 SERVER-MANIA
209.127.117.49 US 55286 SERVER-MANIA
209.127.118.136 US 55286 SERVER-MANIA
209.127.118.96 US 55286 SERVER-MANIA
209.127.172.15 US 55081 24SHELLS
209.127.172.60 US 55081 24SHELLS
209.127.172.99 US 55081 24SHELLS
209.127.173.13 US 55081 24SHELLS
209.127.173.154 US 55081 24SHELLS
209.127.173.215 US 55081 24SHELLS
209.127.174.177 US 55081 24SHELLS
209.127.175.113 US 55081 24SHELLS
209.127.97.6 US 55286 SERVER-MANIA
209.127.98.244 US 55286 SERVER-MANIA
209.127.98.81 US 55286 SERVER-MANIA
209.127.98.91 US 55286 SERVER-MANIA
209.127.99.16 US 55286 SERVER-MANIA
209.127.99.205 US 55286 SERVER-MANIA
217.170.207.111 NO 34989 ServeTheWorld AS
23.106.125.64 SG 59253 Leaseweb Asia Pacific pte. ltd.
45.72.112.143 US 55081 24SHELLS
45.72.18.133 US 55081 24SHELLS
45.72.18.234 US 55081 24SHELLS
45.72.18.236 US 55081 24SHELLS
45.72.31.112 US 55081 24SHELLS
45.72.85.178 US 55081 24SHELLS
45.72.86.142 US 55081 24SHELLS
45.72.86.201 US 55081 24SHELLS

Adobe is said to have stopped it’s updates and patches on Magento 1 but still many of the e-commerce platforms are relying on it. Hence it is recommended to update the Magento versions regularly from external patches.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Junior School Student Indicted for Infecting Computers With Malware

Fukui Prefectural Police have indicted a 15-year-old junior high school student from Saitama Prefecture...

Critical Gitlab Vulnerability Let Attackers Escalate Privileges

GitLab, a widely used platform for DevOps lifecycle management, has released critical security updates...

Firefox 133.0 Released with Multiple Security Updates – What’s New!

Mozilla has officially launched Firefox 133.0, offering enhanced features, significant performance improvements, and critical...

RomCom Hackers Exploits Windows & Firefox Zero-Day in Advanced Cyberattacks

In a new wave of cyberattacks, the Russia-aligned hacking group "RomCom" has been found...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Hijacked Misconfigured Servers For Live Streaming Sports

Recent threat hunting activities focused on analyzing outbound network traffic and binaries within containerized...

Crypto Network Security: Essential Tips To Protect Your Digital Assets In 2023 

Exploring the world of cryptocurrencies has been a thrilling journey for me. The allure...

New RansomHub Attack Killing Kaspersky’s TDSSKiller To Disable EDR

RansomHub has recently employed a novel attack method utilizing TDSSKiller and LaZagne, where TDSSKiller,...