In this recent campaign, attackers are exploiting CVE-2017-7391, a vulnerability in MAGMI (Magento Mass Import), a plugin for Magento-based online stores, the FBI said in a flash security alert sent to the US private sector at the start of the month.
The vulnerability is a cross-site scripting (XSS) bug that allows the attacker to plant malicious code inside an online store's HTML code.
The FBI says hackers are exploiting this vulnerability to steal environment credentials for a Magento online store, which they're using to take full control over the targeted sites.
The FBI says payment card data recorded from user transactions is then encoded in the Base64 format, hidden inside the bits of a JPEG file, and sent to the hackers' server, located at 126.96.36.199.
According to a VirusTotal entry, this malicious server is a known host for Inter [1, 2, 3], a cybercrime service that rents infrastructure for low-skilled hacker groups so they can carry out web skimming operations. Reports of this server being used in web skimmer attacks goes back as far as May 2019.
Sites left without updates
The FBI flash alert contains indicators of compromise (IOCs) that Magento operators can deploy inside their web application firewalls (WAFs) to prevent attacks against their sites.
Updating to MAGMI 0.7.23 is also recommended, as this fixes the XSS bug that grants attackers initial access to the stores.