Breaking story – Analysts at Sancec have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. According to Sansec, the attack became evident late last month when their crawler discovered 374 infections on the same day, all using the same malware.

The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.

Subscribe
Notify of
guest

2 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Kunal Anand
Kunal Anand , Chief Technology Officer
InfoSec Expert
February 10, 2022 1:25 pm

Magecart attackers are always looking for ways to avoid detection in their quest to steal the credit card information of customers. In this attack, 500 stores were the victim of a payment card skimmer loaded onto the naturalfreshmall.com domain. The actors also abused a known vulnerability in the Quickview plugin, which allowed them to inject Magento admin users that could then run code.

Given the continued issues with outdated versions of the Magento platform, it is critical that e-commerce companies get real-time alert notifications for the payment card data leak. They should also quickly isolate any third party library changes that have caused the incident,  and quickly mitigate the risk by removing or updating the third party library and block the PCI incident to prevent further PCI data leaks.

Last edited 7 months ago by Kunal Anand
Ron Bradley
InfoSec Expert
February 10, 2022 1:18 pm

Running an ecommerce website on an outdated and unpatched platform is like driving your car without your seat belt on. The driver is thinking, the store is right around the corner, by the time I put on my seatbelt on, I’ll be there, plus I don’t want to wrinkle my clothes. Then comes the crash!

Magento and other ecommerce platforms have a long history of vulnerabilities. With NaturalFreshMall being the common denominator of this attack, one would have to wonder how they were able to pass PCI audits of their systems which surely would have called for a vulnerability scan and should have identified this issue.  

This is a prime example why it’s so important to vet both your downstream and upstream partners as part of any good third-party risk management program. Ask the tough questions about patch management and vulnerability management. Insist on getting documentation to support vendor claims.  Tell them to buckle up for everyone’s safety!

Last edited 7 months ago by Ron Bradley
Information Security Buzz
2
0
Would love your thoughts, please comment.x
()
x