Breaking story – Analysts at Sancec have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. According to Sansec, the attack became evident late last month when their crawler discovered 374 infections on the same day, all using the same malware.

The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.

Experts Comments

February 10, 2022
Ron Bradley
VP
Shared Assessments

Running an ecommerce website on an outdated and unpatched platform is like driving your car without your seat belt on. The driver is thinking, the store is right around the corner, by the time I put on my seatbelt on, I’ll be there, plus I don’t want to wrinkle my clothes. Then comes the crash!

Magento and other ecommerce platforms have a long history of vulnerabilities. With NaturalFreshMall being the common denominator of this attack, one would have to wonder how they were able to pass PCI

.....Read More

Running an ecommerce website on an outdated and unpatched platform is like driving your car without your seat belt on. The driver is thinking, the store is right around the corner, by the time I put on my seatbelt on, I’ll be there, plus I don’t want to wrinkle my clothes. Then comes the crash!

Magento and other ecommerce platforms have a long history of vulnerabilities. With NaturalFreshMall being the common denominator of this attack, one would have to wonder how they were able to pass PCI audits of their systems which surely would have called for a vulnerability scan and should have identified this issue.  

This is a prime example why it’s so important to vet both your downstream and upstream partners as part of any good third-party risk management program. Ask the tough questions about patch management and vulnerability management. Insist on getting documentation to support vendor claims.  Tell them to buckle up for everyone’s safety!

  Read Less
February 10, 2022
Kunal Anand
Chief Technology Officer
Imperva

Magecart attackers are always looking for ways to avoid detection in their quest to steal the credit card information of customers. In this attack, 500 stores were the victim of a payment card skimmer loaded onto the naturalfreshmall.com domain. The actors also abused a known vulnerability in the Quickview plugin, which allowed them to inject Magento admin users that could then run code.

Given the continued issues with outdated versions of the Magento platform, it is critical that e-commerce

.....Read More

Magecart attackers are always looking for ways to avoid detection in their quest to steal the credit card information of customers. In this attack, 500 stores were the victim of a payment card skimmer loaded onto the naturalfreshmall.com domain. The actors also abused a known vulnerability in the Quickview plugin, which allowed them to inject Magento admin users that could then run code.

Given the continued issues with outdated versions of the Magento platform, it is critical that e-commerce companies get real-time alert notifications for the payment card data leak. They should also quickly isolate any third party library changes that have caused the incident,  and quickly mitigate the risk by removing or updating the third party library and block the PCI incident to prevent further PCI data leaks.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.