Within half a year, criminals placed malicious scripts in over 7,000 stores based on the Magento engine. As a result of this practice, hackers stole customers’ credit card data, gaining access to their bank accounts.
According to expert Willem de Groot, who discovered the threat, this is the most aggressive script of this type created so far in the case of Magento. Hackers have already infected 7 339 Magento stores with a skimmer called MagentoCore, which retrieves data from credit cards from users who shopped on these sites. The malicious script loads into the store's cash register and steals the card data provided by users and sends it to the server controlled by the attacker. Willem de Groot reported that the hacker campaign includes a skimmer script loaded from the magentocore.net domain.
The campaign is still ongoing, and hackers are attacking new Magento stores at a rate of 50 to 60 websites per day. Among the infected stores are also companies listed on the stock exchange that are worth millions. 1450 out of over 7339 infected stores based on the Magento platform had a malicious script placed in the code for half a year. At that time, the attacked sites did not react to the data leak. The rest of the stores took on average a few weeks.
The script has the task of registering the placing of orders by customers and sends them to the server "magentocore.net". The malicious software adds a backdoor to cron.php, which will periodically download malicious code, and after running it removes itself. According to Bleeping Computer, in which Yonathan Klijnsma, a RiskIQ Threat Researcher, is quoted, the MagentoCore campaign is part of a larger card theft campaign called MageCart, which has been active since the end of 2015.
According to de Groot, currently, 4.2% of all Magento stores are infected with one or more skimmers.