Magecart hackers are exploiting a long list of zero-day vulnerabilities in popular store extension software to inject the digital skimming code into targeted e-commerce sites, according to new research.
Dutch security consultant Willem de Groot revealed this week that the attackers had amassed a large number of Magento extensions which contained PHP Object Injection (POI) vulnerabilities.
“This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site. With that, they are able to modify the database or any Javascript files,” he explained.
“As of today, many popular PHP applications still use unserialize(). Magento replaced most of the vulnerable functions by json_decode() in patch 8788, but many of its popular extensions did not.”
With attackers actively probing vulnerable websites, de Groot issued an appeal to developers of the sites to patch quickly. According to his Twitter account, 13 out of the 20 probes/sites had been identified at the time of writing.
This Magecart group differs from some of the attackers we’ve seen before in that, rather than inject the malicious code directly into a target site payment page or third-party, it will insert a customized payment overlay.
“This works for sites that have external payments, or no credit card payments at all, because a fake credit card payment section is inserted,” de Groot explained. “Once a user enters his [card] details and clicks submit, the fake credit card form disappears and the unsuspecting user will likely try again. The fake form will not show a second time, because a cookie is set to prevent that.”
This is just the latest Magecart discovery and once again is proof that several competing groups are using the digital skimming code to harvest large troves of customer card data from e-commerce sites.
Other campaigns have hit hundreds of big-name sites around the world, including BA and Ticketmaster.