Largest Ever Magecart Campaign Hits 2000 E-Stores

Around 2000 e-commerce stores running the popular Magento software were attacked over the weekend, in the largest recorded campaign of its kind, according to researchers.

Sansec’s Threat Research Team warned that the 1904 Magecart attacks it detected targeted e-stores running the now out-of-date Magento version 1. A total of 10 stores were infected on Friday, followed by 1058 on Saturday, 603 on Sunday and 233 on Monday, it said.

The security firm estimates that tens of thousands of customers unwittingly had their payment details stolen over the weekend in the attacks.

“This automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015. The previous record was 962 hacked stores in a single day in July last year,” it added.

“The massive scope of this weekend’s incident illustrates increased sophistication and profitability of web skimming. Criminals have been increasingly automating their hacking operations to run web skimming schemes on as a many stores as possible.”

Sansec suggested that, as many of the sites had no previous history of security incidents, the attackers may have found a new way to compromise their servers — potentially exploiting a zero-day in Magento 1 that was advertised online.

The firm warned that, if this is the case, 95,000 stores could also be exposed to the exploit, as they’re running Magento 1 and no more patches are being produced by developer Adobe.

“Official PCI requirements are to use a malware and vulnerability scanner on the server, such as Sansec’s eComscan,” it said. “Sansec also recommends to subscribe to alternative Magento 1 patch support, such as provided by Mage One.”

Back in June, Sansec spotted a spate of new Magecart infections on e-commerce sites like Claire’s. It’s possible that those groups behind these digital skimming attacks feel there are rich pickings to be had as shoppers under lockdown flood online stores and IT teams struggle to support business-critical infrastructure, leaving security gaps to exploit.

What’s Hot on Infosecurity Magazine?