Year-old critical Magento flaw still exploited, payment info stolen

A whole year has passed since a critical e-shop hijacking flaw in the Magento CMS has been patched, but the vulnerability is still being exploited in attacks in the wild, warns Sucuri researcher Denis Sinegubko.

At the time, the Magento development team pushed out a patch (SUPEE-5344) but after two whole months, 98,000 online merchants still didn’t implement it. This forced the team to send out email alerts directly to the users, urging them to apply the patch immediately.

Obviously, even that was not enough, as attackers are still actively deploying malware that exploits the vulnerability to inject malicious code into the Magento core file.

Interestingly enough, in an attempt to disguise it as the legitimate patch, they have inserted the following code in it:

Mage Patch SUPEE-5344 – initial check if not compromised
@author Magento Core Team - core@magentocommerce.com

The malware allows the attackers to create admin users within the Magento application and, ultimately, to steal customers’ credit card information and their login credentials.

The latter will allow the attackers to access customers’ account and extract more customer data (shipping and billing addresses) and can be used to to hack accounts on other sites and services (as many people reuse passwords).

The attackers can also execute arbitrary PHP code on the server, change permissions of all Magento files, and delete the publicly accessible file in which the stolen (and safely encrypted) data has been stored.

Attacks similar to this one have bene going on for a while – Magento-based credit cards stealers are becoming a trend.

“The Magento malware ecosystem is maturing and attracting more hackers, and they’re bringing their arsenal of tried and true tricks and methods from WordPress and Joomla! malware with them,” says Sinegubko.

Magento sites are being probed for vulnerabilities, and hit with brute force attacks trying to guess admin user credentials. Attempts to breach Magento installations via other compromised CMS applications that share the same server account have also been noticed.

The researcher advises Magento store admins to apply patched and updates religiously, monitor the integrity of Magento files, review users with admin privileges (and delete those which they don’t recognise), and change the passwords for all admin users (and use strong ones).

“Isolate your eCommerce site from your other sites, especially from those that you don’t update, and protect. Even your store blog should live on a separate hosting account,” he pointed out, and urged the admins to consider using a website firewall that will save their site from exploits, brute force attacks and unauthorized access.