E-commerce websites running on the open saucy Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.
Researchers at Flashpoint said that more than 1,000 Magento admin panels, and said that interest in the platform has continued unabated on entry-level and top-tier Deep & Dark Web forums since 2016. Attackers have demonstrated continued interest in other popular e-commerce-processing content management systems such as Power front CMS and OpenCart.
Once the attacker has control of the site’s Magento CMS admin panel, they have access to the site and the ability to add any script they choose. In this case, the attackers were injecting malicious code into the Magento core file, allowing them access to pages where payment data is processed. POST requests to the server containing sensitive data are then intercepted and redirected to the attacker.
Flashpoint analysts said the compromised sites return an exploit in the fake Adobe Flash Player update, which if launched by the user runs malicious JavaScript that downloads malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.