Two hacking groups responsible for the huge spike in hacked Magento 2.x stores


According to Sanguine Security founder Willem de Groot, two hacker groups are responsible for a huge spike in the number of hacked Magento 2.x shopping sites.

It is now the third consecutive month in which the number of Magento 2.x hacked sites has doubled, before doubling between March and April, and again from April to May.

hacked magento 2stores

Image: Sanguine Security


“PRODSECBUG-2198,” the codename of a security flaw in the Magento 2.x content management system (CMS), the most popular CMS to build self-hosted online shops, is at the heart of these spikes in hacked sites.

The vulnerability is a Magento CMS SQL injection fault that can be exploited to take over unpatched, vulnerable sites by remote, unauthenticated attackers. Get to know about free online sql injection scanner here.

At the end of March, the Magento team patched the bug; however, things didn’t go as planned, as attacks starting to exploit this bug only 16 hours later, de Groot says.

After Ambionics, the company that discovered the bug, also released proof-of-concept code just two days after the Magento patch, things took a turn for the worse, without allowing store owners enough time to patch.

PRODSECBUG-2198 attacks were subsequently overwhelmed, causing an increase in the number of hacked 2.x sites on Magento, with hackers planting malware on endangered stores to steal payment card data from the reader while shopping for new products.


“I run a daily scan on the top million sites and check for suspicious activity and verified malware,” de Groot told Cybersguards today in an email about how he compiled his data. “My graphs are based on verified malware.”

But while on Magento stores there are several groups hacking and planting malware, de Groot says the recent spike is driven almost entirely by the activity of just two groups. “Two actors seem to be responsible,” the researcher told Cybersguards, “one has 70% of the breaches and the other 20%.

“The bigger one was also behind the hack of Puma Australia and supports skimming of 50 + global payment services, which allows him/her to quickly scale the skimming operations,” de Groot said.

“It’s hard to get rid of these skimmers once they are in,” the researcher added on Twitter separately. “20% of merchants are reinfected, typically within two weeks.” In addition to updating Magento to versions 2.3.1, 2.2.8 and 2.1.17 containing the fix for this security flaw, de Groot has also published a number of tips on how to handle hacked sites on the Sanguine Security website or how to take additional protection measures to secure Magento stores.


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.