Thousands of online stores around the world have been hit by a major cybersecurity attack due to using outdated and unprotected ecommerce software.
Almost 2,000 stores using the Magento ecommerce platform were affected in what security researchers described as the “largest documented campaign to date”.
The attack was described by researchers at Sansec, which uncovered the campaign, as, “a typical Magecart attack” where injected malicious code looked to intercept the payment information of unsuspecting customers.
Sansec notes that the affected stores were found to be running Magento version 1, which was announced as reaching its end-of-life in June 2020, but is still used by around 95,000 stores worldwide.
The company detected 1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page, far larger than any other recorded attack since 2015, when it first began monitoring the software.
Sansec added that many of the affected stores had no prior history of security incidents, suggesting that a new attack method had been used to gain server (write) access. It noted that a Magento 1 0day (exploit) had been put up for sale on a hacking forum for $5000 a few weeks ago.
The company is working with the affected stores, and has made a complete list of compromised stores available to law enforcement agencies.
This is not the first time that Magento software has been flagged as a security risk recently. Back in May 2020, the FBI flagged that hackers were taking over online stores and stealing customers’ payment card data by exploiting a three-year-old vulnerability in a Magento plugin.
Adding to the seriousness of the situation is the lack of PCI, or Payment Card Industry Data Security Standard compliance, which online traders need to be in line with.
Some payment providers have said they will no longer support merchants still on Magento 1, past EOL, however others have stated customers need to switch to Magento 2, meaning many retailers are still confused about the level of support they have.