Magecart cybergang targeting e-commerce credit card data

As they have been active since 2015, the threat actors in the Magecart gang have had numerous methods of attack and targets to try these methods on. As new research is showing, the Magecart members are now shifting their focus and attack methods once more to evade detection and make a payday by stealing credit card information. The research comes from Willem de Groot, a Dutch national who is considered an expert on Magecart’s activities since their inception.

According to de Groot, the Magecart cybergang is attacking third-party sources affiliated with e-commerce platform Magento that contain a PHP-based zero-day. The zero-day in question is described as follows in a blog post by Willem:

While the extensions differ, the attack method is the same: PHP Object Injection(POI). This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any JavaScript files. As of today, many popular PHP applications still use unserialize(). Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not.

That last sentence pretty much sums up why Magecart is targeting the third parties affiliated with Magento. The ability to skim credit card data is made simple as the extensions are not patched, giving hackers free reign to access data of customers. The way Magecart is going about exploiting the vulnerability is, according to de Groot, "now probing Magento stores in the wild" for the specific extensions listed below:

POST /index.php/madecache/varnish/esi/
POST /index.php/freegift/cart/gurlgift/
POST /index.php/qquoteadv/download/downloadCustomOption/
POST /index.php/ajaxproducts/index/index/
POST /index.php/minifilterproducts/index/ajax/
POST /index.php/advancedreports/chart/tunnel/
POST /index.php/bssreorderproduct/list/add/
POST /index.php/rewards/notifications/unsubscribe/
POST /index.php/emaildirect/abandoned/restore/
POST /index.php/vendors/withdraw/review/
POST /index.php/vendors/credit_withdraw/review/
POST /index.php/gwishlist/Gwishlist/updategwishlist/
POST /index.php/rewards/customer/notifications/unsubscribe/
POST /index.php/aheadmetrics/auth/index/
POST /index.php/customgrid/index/index/
POST /index.php/customgrid/Blcg/Column/Renderer/index/index/
POST /index.php/tabshome/index/ajax/
POST /index.php/customgrid/Blcg_Column_Renderer_index/index/
POST /index.php/rewards/customer_notifications/unsubscribe/
POST /index.php/vendors/credit/withdraw/review/
POST /index.php/multidealpro/index/edit/
POST /index.php/layaway/view/add/
POST /index.php/simplebundle/Cart/add/
POST /index.php/CustomGrid/index/index/
POST /index.php/netgocust/Gwishlist/updategwishlist/
POST /index.php/prescription/Prescription/amendQuoteItemQty/
POST /index.php/ajax/Showroom/submit/

Until these extensions are patched, it simply would be wise for users of the e-commerce website Magento and its third-party affiliations to exercise extreme caution and look for any signs of credit card fraud.

Featured image: Flickr/ CafeCredit.com

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Making retail mobile e-commerce apps more secure

Many e-commerce mobile apps are insecure, opening the businesses that use them to severe risks.…

17 hours ago

With eyes on the ‘Zoom boom,’ Microsoft launches Teams apps for meetings

Microsoft continues to leverage its hot Microsoft Teams. With an eye on the popularity of…

20 hours ago

Exchange 2019 and 2013: Is coexistence possible? Yes, here’s how

Exchange 2019 and 2013 coexistence can be achieved, but the road is winding and filled…

23 hours ago

Finding API code vulnerabilities before they reach production

A powerful add-on for GitHub’s code-scanning feature lets you get your API code analyzed for…

2 days ago

Pray.com app exposes millions of users in massive data leak

Pray.com is one of the most popular faith-based apps, so a data leak is a…

2 days ago

Merging and sorting files in Linux: Easier than you think

Here’s a walkthrough to guide you through the simple yet efficient process of merging and…

2 days ago