Friday, April 25, 2025
HomeInfosec- ResourcesHackers Injected Credit Card Skimmers to 500 Stores Running With Magento

Hackers Injected Credit Card Skimmers to 500 Stores Running With Magento

Published on

SIEM as a Service

Follow Us on Google News

On January 25, Sansec posted a tweet that nearly 300+ e-commerce stores were infected with malware. Sansec detected a massive data breach at 500 stores which were running on Magento 1. Magento is an open-source e-commerce platform provided by Adobe. 

All of the stores were affected with a payment skimmer which was loaded to them from naturalfreshmall.com. During the first investigation, Investigators found that the hackers used a clever combination of SQL Injection and PHP Object Injection attack to control the Magento stores.

POI Attack at Zend_Memory_Manager

Further investigations revealed that a known vulnerability in the Quickview plugin was used to abuse the systems which is usually used to inject rogue Magento admin users. But in this case, the attackers used this vulnerability to directly run code on the server. A clear explanation was given by Sansec on how this was possible. 

- Advertisement - Google News

Initially, the attackers used the Quickview plugin vulnerability to add a validation rule to the customer_eav_attribute table

45.72.31.112 2022-01-28T15:11:59Z “GET /quickview/index/view/path/’);UPDATE%20customer_eav_attribute%20SET%20validate_rules=UNHEX(‘613a…d7d’)%20WHERE%20validate_rules=’a:2:%7Bs:15:%22max_text_length%22;i:255;s:15:%22min_text_length%22;i:1;%7D’; HTTP/1.1”

The PHP Object Injection is used for crafting a malicious object by the host application. In this attack, the Zend_Memory_Manager and Zend_CodeGenerator_Php_File are used for creating a file called api_1.php followed by a simple backdoor eval($_POST[‘z’]).

Sign Up Activates the Attack

For running the code, Magento need to unserialise the code. The attackers achieved this by using the validation rules set for new customers. By using the sign up page of Magento, the attacker unserialises the data which makes the code to run.

45.72.31.112    2022-01-28T15:12:02Z “GET /customer/account/create/ HTTP/1.1”

45.72.31.112    2022-01-28T15:12:08Z “GET /api_1.php HTTP/1.1”

The api_1.php which is controlled by the attacker is now able to run any PHP code.

During these attacks, the attacker left nearly 19 backdoors on the system which needs to be eliminated in order to prevent future attacks. Many files consisted of the malicious Magento code.

Sansec also posted a list of IP’s that were implicated during the attack

132.255.135.230 US 52485 networksdelmanana.com
132.255.135.51 US 52485 networksdelmanana.com
138.36.92.216 US 265645 HOSTINGFOREX S.A.
138.36.92.253 US 265645 HOSTINGFOREX S.A.
138.36.93.206 US 265645 HOSTINGFOREX S.A.
138.36.94.2 US 265645 HOSTINGFOREX S.A.
138.36.94.224 US 265645 HOSTINGFOREX S.A.
138.36.94.241 US 265645 HOSTINGFOREX S.A.
138.36.94.59 US 265645 HOSTINGFOREX S.A.
138.94.216.131 US 263744 Udasha S.A.
138.94.216.172 US 263744 Udasha S.A.
138.94.216.186 US 263744 Udasha S.A.
138.94.216.230 US 263744 Udasha S.A.
141.193.20.147 US 64249 ENDOFFICE
144.168.218.117 US 55286 SERVER-MANIA
144.168.218.136 US 55286 SERVER-MANIA
144.168.218.249 US 55286 SERVER-MANIA
144.168.218.70 US 55286 SERVER-MANIA
144.168.218.94 US 55286 SERVER-MANIA
144.168.221.92 US 55286 SERVER-MANIA
186.179.14.102 US 52393 Corporacion Dana S.A.
186.179.14.134 US 52393 Corporacion Dana S.A.
186.179.14.179 US 52393 Corporacion Dana S.A.
186.179.14.204 US 52393 Corporacion Dana S.A.
186.179.14.44 US 52393 Corporacion Dana S.A.
186.179.14.76 US 52393 Corporacion Dana S.A.
186.179.14.97 US 52393 Corporacion Dana S.A.
186.179.39.183 US 52393 Corporacion Dana S.A.
186.179.39.226 US 52393 Corporacion Dana S.A.
186.179.39.35 US 52393 Corporacion Dana S.A.
186.179.39.7 US 52393 Corporacion Dana S.A.
186.179.39.74 US 52393 Corporacion Dana S.A.
186.179.47.205 US 52393 Corporacion Dana S.A.
186.179.47.39 US 52393 Corporacion Dana S.A.
191.102.149.106 US 394474 WHITELABELCOLO393
191.102.149.197 US 394474 WHITELABELCOLO393
191.102.149.253 US 394474 WHITELABELCOLO393
191.102.163.202 US 394474 WHITELABELCOLO393
191.102.163.208 US 394474 WHITELABELCOLO393
191.102.163.7 US 394474 WHITELABELCOLO393
191.102.163.74 US 394474 WHITELABELCOLO393
191.102.170.173 US 394474 WHITELABELCOLO393
191.102.170.81 US 394474 WHITELABELCOLO393
191.102.174.128 US 394474 WHITELABELCOLO393
191.102.174.211 US 394474 WHITELABELCOLO393
191.102.174.239 US 394474 WHITELABELCOLO393
191.102.174.247 US 394474 WHITELABELCOLO393
191.102.174.52 US 394474 WHITELABELCOLO393
191.102.179.22 US 394474 WHITELABELCOLO393
191.102.179.31 US 394474 WHITELABELCOLO393
191.102.179.62 US 394474 WHITELABELCOLO393
192.198.123.164 US 55286 SERVER-MANIA
192.198.123.225 US 55286 SERVER-MANIA
192.198.123.226 US 55286 SERVER-MANIA
192.198.123.43 US 55286 SERVER-MANIA
192.241.67.128 US 55286 SERVER-MANIA
193.32.8.1 US 201814 Meverywhere sp. z o.o.
193.32.8.33 US 201814 Meverywhere sp. z o.o.
193.32.8.63 US 201814 Meverywhere sp. z o.o.
193.32.8.76 US 201814 Meverywhere sp. z o.o.
193.8.238.91 US 60781 LeaseWeb Netherlands B.V.
195.123.246.212 CZ 204957 ITL-Bulgaria Ltd.
198.245.77.132 US 55081 24SHELLS
198.245.77.217 US 55081 24SHELLS
198.245.77.253 US 55081 24SHELLS
206.127.242.99 US 201106 Spartan Host Ltd
209.127.104.174 US 55286 SERVER-MANIA
209.127.105.225 US 55286 SERVER-MANIA
209.127.105.73 US 55286 SERVER-MANIA
209.127.106.211 US 55286 SERVER-MANIA
209.127.106.44 US 55286 SERVER-MANIA
209.127.107.141 US 55286 SERVER-MANIA
209.127.107.169 US 55286 SERVER-MANIA
209.127.107.187 US 55286 SERVER-MANIA
209.127.109.138 US 55286 SERVER-MANIA
209.127.109.225 US 55286 SERVER-MANIA
209.127.109.87 US 55286 SERVER-MANIA
209.127.110.144 US 55286 SERVER-MANIA
209.127.110.177 US 55286 SERVER-MANIA
209.127.111.68 US 55286 SERVER-MANIA
209.127.111.99 US 55286 SERVER-MANIA
209.127.116.101 US 55286 SERVER-MANIA
209.127.116.167 US 55286 SERVER-MANIA
209.127.116.231 US 55286 SERVER-MANIA
209.127.117.214 US 55286 SERVER-MANIA
209.127.117.49 US 55286 SERVER-MANIA
209.127.118.136 US 55286 SERVER-MANIA
209.127.118.96 US 55286 SERVER-MANIA
209.127.172.15 US 55081 24SHELLS
209.127.172.60 US 55081 24SHELLS
209.127.172.99 US 55081 24SHELLS
209.127.173.13 US 55081 24SHELLS
209.127.173.154 US 55081 24SHELLS
209.127.173.215 US 55081 24SHELLS
209.127.174.177 US 55081 24SHELLS
209.127.175.113 US 55081 24SHELLS
209.127.97.6 US 55286 SERVER-MANIA
209.127.98.244 US 55286 SERVER-MANIA
209.127.98.81 US 55286 SERVER-MANIA
209.127.98.91 US 55286 SERVER-MANIA
209.127.99.16 US 55286 SERVER-MANIA
209.127.99.205 US 55286 SERVER-MANIA
217.170.207.111 NO 34989 ServeTheWorld AS
23.106.125.64 SG 59253 Leaseweb Asia Pacific pte. ltd.
45.72.112.143 US 55081 24SHELLS
45.72.18.133 US 55081 24SHELLS
45.72.18.234 US 55081 24SHELLS
45.72.18.236 US 55081 24SHELLS
45.72.31.112 US 55081 24SHELLS
45.72.85.178 US 55081 24SHELLS
45.72.86.142 US 55081 24SHELLS
45.72.86.201 US 55081 24SHELLS

Adobe is said to have stopped it’s updates and patches on Magento 1 but still many of the e-commerce platforms are relying on it. Hence it is recommended to update the Magento versions regularly from external patches.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

DragonForce and Anubis Ransomware Gangs Launch New Affiliate Programs

Secureworks Counter Threat Unit (CTU) researchers have uncovered innovative strategies deployed by the DragonForce...

“Power Parasites” Phishing Campaign Targets Energy Firms and Major Brands

Silent Push Threat Analysts have uncovered a widespread phishing and scam operation dubbed "Power...

Threat Actors Register Over 26,000 Domains Imitating Brands to Deceive Users

Researchers from Unit 42 have uncovered a massive wave of SMS phishing, or "smishing,"...

Russian Hackers Attempt to Sabotage Digital Control Systems of Dutch Public Service

The Dutch Defense Ministry has revealed that critical infrastructure, democratic processes, and North Sea...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cybercriminals Exploit Network Edge Devices to Infiltrate SMBs

Small and midsized businesses (SMBs) continue to be prime targets for cybercriminals, with network...

Detecting And Blocking DNS Tunneling Techniques Using Network Analytics

DNS tunneling is a covert technique that cybercriminals use to bypass traditional network security...

How To Conduct End-to-End Forensics From Compromised Endpoint To Network Pivot

The discovery of a compromised endpoint in an organization's network marks the beginning of...