Hundreds of E-Commerce Sites Booby-Trapped With Payment Card-Skimming Malware

An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: About 500 e-commerce websites were recently found to be compromised by hackers who installed a credit card skimmer that surreptitiously stole sensitive data when visitors attempted to make a purchase. A report published on Tuesday is only the latest one involving Magecart, an umbrella term given to competing crime groups that infect e-commerce sites with skimmers. Over the past few years, thousands of sites have been hit by exploits that cause them to run malicious code. When visitors enter payment card details during purchase, the code sends that information to attacker-controlled servers.

Sansec, the security firm that discovered the latest batch of infections, said the compromised sites were all loading malicious scripts hosted at the domain naturalfreshmall[.]com. "The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form," firm researchers wrote on Twitter. "Payments are sent to https://naturalfreshmall.com/p...." The hackers then modified existing files or planted new files that provided no fewer than 19 backdoors that the hackers could use to retain control over the sites in the event the malicious script was detected and removed and the vulnerable software was updated. The only way to fully disinfect the site is to identify and remove the backdoors before updating the vulnerable CMS that allowed the site to be hacked in the first place.

Sansec worked with the admins of hacked sites to determine the common entry point used by the attackers. The researchers eventually determined that the attackers combined a SQL injection exploit with a PHP object injection attack in a Magento plugin known as Quickview. [...] It's not hard to find sites that remain infected more than a week after Sansec first reported the campaign on Twitter. At the time this post was going live, Bedexpress[.]com continued to contain this HTML attribute, which pulls JavaScript from the rogue naturalfreshmall[.]com domain. The hacked sites were running Magento 1, a version of the e-commerce platform that was retired in June 2020. The safer bet for any site still using this deprecated package is to upgrade to the latest version of Adobe Commerce. Another option is to install open source patches available for Magento 1 using either DIY software from the OpenMage project or with commercial support from Mage-One.

Unless we break the scammers business models...

[shanen]

...these problems are not going away.

And I still think the root of most of these scams is spam email. As far as I can tell, every one of the major email providers has "Live and let spam" as part of their so-called business model. Small email providers, too. More like the monkey business model. Which is why I can't understand the lack of existence of a single spammer-fighting email system.

Having said that, I haven't studied the details of this particular scam. It might be a server-side menace, but it might a

Re:

[Oligonicella]

Much as I dislike Google, my GMail eaddr gets zero spam. And I have not once had to flag a message as spam. My older one housed elsewhere gets crap-loads

Re:

[shanen]

That's really hard to believe based on my extensive experience with Gmail going back many years. Unless you use an extremely unique address safe from any dictionary attacks and also send very little email. Might be a very fresh account, too.

I recently saw a bleed-over from a Gmail storm that peaked at 300 per/day to another address with a similar start. So far the new spam storm is only running somewhere over 50/day. Almost certain that it's the same spammer customizing for the other email system, though an

Re:

[gweihir]

Actually not letting any random moron write security-critical software would help a lot. For this day and age to write something that allows an SQL injection, you have to be completely clueless.

No, the scammers will not go away unless their trade gets so hard that they look for honest work instead. No, we are not going to identify them or plug the holes they use to launder their ill-gotten profits.

Re:

[shanen]

Not a very clear reply, but I think you are arguing for a small kernel of elevated-privilege code and agreeing with me about the financial motivations?

So much for SAQ-A

[pierceelevated]

It appears web sites should always be in PCI-DSS scope.

Re:

[WaffleMonster]

It appears web sites should always be in PCI-DSS scope.

They are. SAQ-* does not mean PCI in its entirety does not still apply to you regardless of how solutions are marketed fine print is quite explicit on the matter.

Hole in PCI preventing sites from being on the hook for misredirections to external payment forms was closed many years ago.

Vendor profit model

[Canberra1]

A security patch is not an option eh? Just pay more and upgrade to Adobe whatever - or risk it. Open source patches are new to me - learnt something. But like MS, they never roll out fully patched images for obsolete models. Remember an unpatched PC downloading 2 hours of updates - is a sitting target. Clearly fines for running insecure platforms is insufficient. And the banks are unwilling to kneecap profitable customers too quickly. This we have a perfect storm brewing.

Good old SQL injection

[gweihir]

The mark of utter incompetence. These only still happens after being well-known for so long because there are absolute crap coders out there that have not been banned from the profession a long time ago.