Threat actors have once again targeted the Magento platform. The purpose of the campaign is planting payment card skimmers on online stores. According to security researcher Willem de Groot, at least 20 Magento extensions have been abused due to a number of unpatched zero-day vulnerabilities.
This is not the first time Groot uncovers serious Magento issues. In September, the researcher uncovered [wplinkpreview url=”https://sensorstechforum.com/magentocore-skimmer-infects-60-stores-per-day/”]the most successful skimming campaign, revolving around the MagentoCore skimmer. The skimmer has already infected 7,339 Magento stores in the last 6 months, thus becoming the most aggressive campaign discovered until now.
2 out of 20 Magento Vulnerable Extensions Identified
As for the current case, de Groot has successfully identified 2 of the 20 extensions and is seeking help from fellow researchers to uncover the rest. This is needed so that the zero-day flaws are patched. The good news is that he has provided a series of URL paths that have been exploited to compromise online stores running the vulnerable extensions.
While the extensions differ, the attack method is the same: PHP Object Injection(POI). This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files. As of today, many popular PHP applications still use unserialize().
It appears that Magento replaced most of the vulnerable functions by json_decode() in patch 8788. Unfortunately, many of its popular extensions did not, the researcher noted in his post. As explained by Yonathan Klijnsma, a researcher at RisqIQ and one of the experts who has been helping de Groot, “core platforms tend to be pretty good, it’s just the plugins that keep messing up”.
The two identified extensions are the Webcooking_SimpleBundle Magento extension and TBT_Rewards. The developer of the first extensions has already released a fix. The second one, however, appears to have been abandoned a while ago. So, any online store which has this extension installed should immediately get rid of it.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: