More than 2,000 Magento online stores have been hacked which has been described as the largest campaign ever since 2015.
The hackers breached the sites over the weekend and then inserted malicious scripts inside the stores’ source code which logged payment card details entered by the shoppers inside checkout forms.
Willem de Groot, founder of Sanguine Security (SanSec), a Dutch cyber-security firm specialized in tracking Magecart attacks said that on friday 10 stores were affected and then 1,058 on Saturday, 603 on Sunday and 233 on Monday.
This automated campaign is considered to be the largest one which the security company has identified since it started monitoring in 2015. The previous record was 962 hacked stores in a single day in July last year.
The SanSec exec said that most of the compromised sites were running version 1.x of the Magento online store software which reached end-of-life (EOL) on June 30, 2020, and is currently not receiving security updates anymore.
Adobe which owns Magento, has warned about attacks against sites running the Magento 1.x software last year, when they issued the first alert in November 2019 about store owners needing to update to the 2.x branch.
Warnings about such attacks were also included in similar security advisories issued by Mastercard and Visa over the spring.
It was not found how the hackers broke into the sites that were attacked, but de Groot said that ads for a Magento 1.x zero-day vulnerability had been posted on underground hacking forums last month, confirming that hackers had waited for the EOL to come around.
In the ad, a user named z3r0day offered to sell a remote code execution (RCE) exploit for $5,000, an offer which looked credible at the time.
However, since November 2019, when Adobe started urging Magento owners to migrate to the newer branch, the number of Magento 1.x stores went down from 240,000 to 110,000 in June 2020, and to 95,000 now.
Most of the stores that have not updated have very low user traffic and some high-trafficked sites are still running the 1.x branch and relying on web application firewalls (WAFs) to stop attacks.
Image Credits : Magenticians