Not long ago, in Sep 2018, the researcher Willem de Groot unearthed the most successful skimming campaign, attacking more than 7000 stores in the last 6 months. The skimmer of the campaign, MagentoCore is supposed to be the most aggressive skimmer so far.
Recently, the Dutch security researcher again found out that hackers are abusing unpatched zero-days vulnerabilities in at least 20 Magento extensions with an aim to plant skimmers on online stores.
De Groot has tracked the campaign and only identified two of the 20 extensions that hackers are targeting. He is now seeking help from fellow researchers to detect the rest.
The researcher also provides a list of URL paths which have been exploited by hackers to infiltrate the online stores and run the vulnerable extensions.
“While the extensions differ, the attack method is the same: PHP Object Injection (POI),” de Groot said.
After suffering the same type of attack in October 2016, Magento fixed the problem by replacing most of the vulnerable functions by json_decode() in patch 8788. However, many developers didn’t follow the example and have left instances of the PHP unserialize() function inside their code, de Groot said. This leaves an opportunity to hackers to make this attack.
Yonathan Klijnsma, a researcher at RisqIQ, together with de Groot tracking the campaign explained: “core platforms tend to be pretty good, it’s just the plugins that keep messing up”.
Webcooking_SimpleBundle and TBT_Rewards are two Magento extensions which De Groot has successfully identified. The first extension has been fixed and can be used. Meanwhile, the latter one has been deactivated now. So, for those who downloaded and installed this extension, they should remove it right away before the problem occurs.