FBI warns about attacks on Magento online stores via old plugin vulnerability

FBI says hackers have been planting card skimmers on online stores by exploiting a 2017 bug in the MAGMI plugin.

study-of-over-11000-online-stores-finds-5dd2b42cebd1f40001afceb4-1-nov-21-2019-15-27-03-poster.jpg

The FBI says hackers are exploiting a three-year-old vulnerability in a Magento plugin to take over online stores and plant a malicious script that records and steals buyers' payment card data.

This type of attack is known as web skimming, e-skimming, or Magecart, and the FBI previously warned about a rise in attacks in October, last year.

Recent campaign exploiting MAGMI bug

In this recent campaign, attackers are exploiting CVE-2017-7391, a vulnerability in MAGMI (Magento Mass Import), a plugin for Magento-based online stores, the FBI said in a flash security alert sent to the US private sector at the start of the month.

The vulnerability is a cross-site scripting (XSS) bug that allows the attacker to plant malicious code inside an online store's HTML code.

The FBI says hackers are exploiting this vulnerability to steal environment credentials for a Magento online store, which they're using to take full control over the targeted sites.

Once they gain access to the sites, they plant web shells for future access and start modifying the site's PHP and JavaScript files with malicious code that records payment details entered on the store when users buy and pay for new products.

The FBI says payment card data recorded from user transactions is then encoded in the Base64 format, hidden inside the bits of a JPEG file, and sent to the hackers' server, located at 89.32.251.136.

According to a VirusTotal entry, this malicious server is a known host for Inter [1, 2, 3], a cybercrime service that rents infrastructure for low-skilled hacker groups so they can carry out web skimming operations. Reports of this server being used in web skimmer attacks goes back as far as May 2019.

Sites left without updates

The FBI flash alert contains indicators of compromise (IOCs) that Magento operators can deploy inside their web application firewalls (WAFs) to prevent attacks against their sites.

Updating to MAGMI 0.7.23 is also recommended, as this fixes the XSS bug that grants attackers initial access to the stores.

However, the MAGMI plugin only works for older versions of Magento stores, the 1.x branch, which is set to reach end-of-life on June 30, 2020.

Ideally, store owners should be updating their entire shops -- not just the MAGMI plugin -- to version 2.x, which will continue to receive security updates going forward.

Continuing to run Magento stores on old and unmaintained versions leaves sites to attacks as Adobe won't be releasing patches for the 1.x branch in the future