Attackers are increasingly and actively exploiting an unknown flaw in Magento, to steal credit card information.
More than 200,000 online stores using Magento, the ebay owned web exommerce platform, are at high risk because attackers can gain access to sensitive data submitted by a customer to Magento.
This is the second attack on Magento in a period of three months, we had reported about the Shoplift bug here. It had posed a critical threat to unpatched sites and lead to complete compromise of affected sites.
How the attack works?
Web security firm Sucuri are still investigating the attack vectors and said, “It seems though that the attacker is exploiting a vulnerability in Magento core or some widely used module/extension. Using this vector, the attacker is able to inject malicious code into the Magento core file.”
Sucuri researcher Peter Gramantik, says further is his post, that once this code is injected, attacker can take sensitive customer information and keep an eye on the website silently.
Every POST request goes to the attacker, who identifies valuable credit card details only, based on some structured rules before storing it in an encrypted form.
Attackers store the billing information, processed by the infected site, in a fake image (JPEG or GIF) file. The image file might look like a broken image, if simply loaded via web browser. However, the attacker can download the entire file and decrypt the stolen data using Public Key in an attempt to collect all the billing information processed by the Magento e-commerce website.
Can you trace the attack?
To evade discovery, the malicious script includes a small purge function that wipes trails clean.
What’s also noteworthy is that the PUBLIC_KEY used to decrypt the stolen data, is the same in different instances of attack. It means that it could probably be a single person responsible for creating all the different versions of the script.
Attackers also alter the creation timestamp of fake image and add a header to escape detection.
When does ecommerce site end user know that they are at risk?
Unfortunately, the end user does not know that his credit card details have been compromised until they raise their ugly heads on your bank statements.
More Variants of the attack
Another variant discovered and investigated by Sucuri, is more direct than the previous one. It simply steals the payment details during the transaction processing and without being detected sends a mail to the hacker’s email.
This variant does not encrypt any information before sending it to the attacker. Rather it uses existing data variables lying unprotected, pointing out that they have complete knowledge of how the function and Magento works.
How to safeguard your store against attack?
Later in their post Sucuri said that, it’s very important for the merchants to realize that its their responsibility to protect their customers’ sensitive data and urged them to do so through PCI compliance.
Since such attacks are on the rise and can attack any ecommerce, not just Magento users in particular, its more important than ever to closely monitor your site and do everything possible to safeguard it.