Back to school, government and business firmly believe in the long-awaited economic recovery, so do cybercriminals. The Sansec company, specialized in protection against Magecart attacks, announced yesterday have detected a large-scale automated attack campaign over the weekend. “Sansec’s Attack Detection System, which monitors threats on e-commerce sites, detected 1,904 separate Magento stores with malicious script (skimmer) on the checkout page. Friday, 10 stores were infected, then 1,058 Saturday, 603 Sunday and 233 Monday ”, detail the authors of the report.
This campaign, “automated” according to Sansec, mainly targets e-commerce stores relying on Magento 1, but the researchers note that a few affected stores were using Magento 2. This is the most important attack campaign identified by Sansec since a previous wave that affected just under 1,000 sites in a single day at July 2019.
The attackers aimed to install “skimming” scripts on the targeted sites, malicious scripts capable of recording the keystroke of the user when he enters his credit card code in a payment form. These techniques, known as the Magecart attack, are particularly popular with cybercriminals and difficult to detect for both victimized sites and their users.
Return of filth
According to Sansec, the attack vector exploited as part of this campaign could come from a 0-day flaw recently marketed on illegal marketplaces by a user known as z3r0day. This security flaw would affect versions of Magento 1, a version of the e-commerce module which is no longer officially supported by the publisher Adobe since June 2020. This vulnerability would therefore not have a patch delivered by the publisher to fill the gap.
Sansec estimates the number of stores exploiting Magecart 1 to be just over 90,000 online today, a significant number of potential targets for attackers.