Online shops fall prey to brute-force attacks by cybercriminals

But the unresolved vulnerabilities discovered on Magento sites is the real crime

Hundreds of e-commerce sites have been targeted in an attack which delivered cryptomining malware and scraped the payment card details of customers.

The compromised sites, discovered by security researchers at Flashpoint, are linked through the open-source platform Magento, which hosts a range of vendors including Made.com and luxury brands Harvey Nichols and Bulgari.

Researchers found that criminals were using brute-force attacks to access administration panels.

This allowed hackers to inject malicious code, in this case cryptomining malware, and steal sensitive information.

At least 1,000 of the compromised sites were in the education and healthcare sectors, and were based in the US and Europe.

These issues have been of interest to attackers since at least 2016.

Writing its findings in a blog post, Flashpoint said: “Once the attacker has control of the site’s Magento CMS admin panel, they have unfettered access to the site and the ability to add any script they choose.

“In this case, the attackers were injecting malicious code in the Magento core file, allowing them access to pages where payment data is processed.”

Once the code is added, an attacker is able to intercept personal information and deploy any number of criminal activities. Scraping payment card details and deploying malware to mine cryptocurrency were the most common activities practiced.

Flashpoint added: “The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection.”

Magento sites have long been an easy attack target.

In 2017, for instance, over 6,000 online shops were discovered to have been compromised in a fraudulent credit card campaign that stretched nearly two years. This was again due to known vulnerabilities that went unsolved.

Flashpoint announced the cyber-attack on April 2 and said it was working with law enforcement to notify victims.

Magento has been advised to review CMS account logins and enforce better password practices.