Skip to main content

Many online stores are being hit by this old vulnerability

Best credit card processing service
(Image credit: Pixabay)

Hackers are taking over online stores and stealing customers' payment card data by exploiting a three-year-old vulnerability in a Magento plugin according to the FBI.

This kind of attack is known as web skimming or Magecart and in October of last year, the FBI issued a similar warning about an increase in these types of attacks.

As reported by ZDNet, attackers are exploiting a vulnerability, tracked as CVE-2019-7391, in the MAGMI (Magento Mass Import) plugin for Magento-based online stores in this latest campaign. The vulnerability is a cross-site scripting (XSS) bug that allows an attacker to plan malicious code inside of an online store's HTML code.

According to the FBI, the hackers are exploiting this vulnerability in order to steal environment credentials from online stores running Magento which they then use to take full control over targeted sites.

MAGMI plugin vulnerability

Once an attacker gains access to a site running the vulnerable plugin, they then plant web shells for future access and begin modifying the site's PHP and JavaScript files with malicious code that records customers' payment details. This payment card data is then encoded in the Base64 format, hidden inside a JPEG file and sent to the hackers' server.

The malicious server used by the hackers behind this latest campaign is used by the cybercrime service Inter which rents out infrastructure to low-skilled hacking groups so that they can launch web skimming operations.

Updating the MAGMI plugin to version 0.7.23 is highly recommended for online stores using the plugin as this fixes the XSS bug that hackers use to gain entry to the stores in the first place. Unfortunately though, the plugin only works for older versions of Magento stores running the 1.x branch that is set to reach end-of-life this June.

The FBI's flash alert also contains indicators of compromise (IOCs) that Magento users can deploy inside their web application firewalls to prevent attacks against their sties.

Via ZDNet