Magecart group leverages zero-days in 20 Magento extensions

Hackers are (ab)using unpatched zero-day vulnerabilities in approximately 20 Magento extensions to plant payment card skimmers on online stores, according to Dutch security expert Willem de Groot.

More security news

The researcher has been tracking this recent campaign but has only identified two of the 20 extensions that hackers are targeting. He’s now asking the wider infosec and web development community for help in identifying the other 18 extensions, so he can notify developers and have the zero-days fixed. The researcher has listed a series of URL paths through which hackers have been exploiting the zero-days to gain footholds on stores running the vulnerable extensions.

The URL paths are as follow:

POST /index.php/advancedreports/chart/tunnel/POST /index.php/aheadmetrics/auth/index/POST /index.php/ajax/Showroom/submit/POST /index.php/ajaxproducts/index/index/POST /index.php/bssreorderproduct/list/add/POST /index.php/customgrid/index/index/POST /index.php/customgrid/Blcg/Column/Renderer/index/index/POST /index.php/customgrid/Blcg_Column_Renderer_index/index/POST /index.php/customgrid/index/index/POST /index.php/emaildirect/abandoned/restore/POST /index.php/freegift/cart/gurlgift/POST /index.php/gwishlist/Gwishlist/updategwishlist/POST /index.php/layaway/view/add/POST /index.php/madecache/varnish/esi/POST /index.php/minifilterproducts/index/ajax/POST /index.php/multidealpro/index/edit/POST /index.php/netgocust/Gwishlist/updategwishlist/POST /index.php/prescription/Prescription/amendQuoteItemQty/POST /index.php/qquoteadv/download/downloadCustomOption/POST /index.php/rewards/customer/notifications/unsubscribe/ [Alreadu identified as "TBT_Rewards"]POST /index.php/rewards/customer_notifications/unsubscribe/ [Alreadu identified as "TBT_Rewards"]POST /index.php/rewards/notifications/unsubscribe/ [Alreadu identified as "TBT_Rewards"]POST /index.php/simplebundle/Cart/add/   [Already identified as "Webcooking_SimpleBundle"]POST /index.php/tabshome/index/ajax/POST /index.php/vendors/credit/withdraw/review/POST /index.php/vendors/credit_withdraw/review/POST /index.php/vendors/withdraw/review/

Webcooking, the maker of the Webcooking_SimpleBundle Magento extension, one of the two extensions de Groot has already identified by name, has already shipped out a fix, hours after the researcher reached out. The second extension identified by name was TBT_Rewards, which has been abandoned a few months back, and which should be uninstalled from all stores due to the current security risk. As this article ages, a more accurate list of affected extensions will be kept up-to-date on de Groot’s website, here.

Extension developers are to blame

According to de Groot, all the zero-day affecting the 20 extensions are practically the same but merely found in 20 different places.

“While the extensions differ, the attack method is the same: PHP Object Injection (POI),” de Groot said in a technical report published today. He says attackers are abusing the PHP unserialize() function to insert malicious code inside the victim’s site. This particular type of attack isn’t exactly new or novel.

The Magento e-commerce platform itself was once affected by this very same issue, which has received the CVE-2016-4010 identifier. The Magento team fixed this vulnerability by replacing the PHP unserialize() function with json_decode() in patch SUPEE-8788, released in October 2016. But according to de Groot, many extension developers didn’t follow the Magento team’s example and have left instances of the PHP unserialize() function inside their code, leaving Magento stores exposed to this attack, even if they applied the SUPEE-8788 patch years before.

“Core platforms tend to be pretty good, it’s just the plugins that keep messing up,” said Yonathan Klijnsma, a threat researcher at RisqIQ and one of the experts who’s been tracking these type of attacks alongside de Groot. “Plugin writers don’t always have a security mindset for writing these plugins, it’s more about the functionality of their plugin,” Klijnsma told ZDNet today.

Hackers are creating fake checkout forms

The group employing this collection of Magento extension zero-days is one of the groups tracked under the umbrella term of Magecart.Magecart attacks have been happening for the past three years, but they have intensified and grew bolder this year after some attacks impacted larger entities, such as Ticketmaster, British Airways, and Newegg. While initially there was only one Magecart group behind attacks, several different actors are now active using the same modus operandi.

De Groot says the group behind the Magento extensions zero-days campaign is also quite clever. The hackers aren’t content with injecting a script on hacked that steals payment card data from checkout forms, like most other Magecart groups. In cases where the store owner handles card payments via external providers (such as PayPal or Skype) or doesn’t handle card payments at all, this group will redirect store visitors to a fake checkout form that they created on purpose.

The group uses this fake checkout form to collect payment card details, maximizing their efforts, even on stores that other Magecart groups would have considered worthless.


You may also like...

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

Apps & Games Clothing Electronics & Photo Large Appliances
Baby Womens Apparel Garden Lighting
Beauty Mens Apparel Outdoors Luggage
Books Girls Apparel Health & Personal Care Pet Supplies
Car Boys Apparel Home Shoes & Bags
Motorbike Computers & Accessories Kitchen Equipment Sports & Outdoors
Fashion DIY & Tools Jewellery Toys & Games