Magecart Operators Poison Magento Extensions

Delaware, USA – October 25, 2018 — It is already known about 20 Magento extensions that are vulnerable to the attacks of cybercriminal groups behind the Magecart operation. Security researcher Willem de Groot, who has long been following the Magecart activity, identified sixteen extensions and asked the public for help to identify the others. The developers of several extensions have already released updates that close the vulnerability, but TBT_Rewards, AW_AheadMetrics and BL_CustomGrid extensions are abandoned, and their developers will not issue patches for them, so it is recommended to remove them from your website. In all cases, adversaries use PHP Object Injection abusing PHP’s unserialize() function to inject malicious code into the site. Despite the fact that Magento no longer uses this function, many popular extensions have not abandoned unserialize () in favor of json_decode().

According to RiskIQ, there are six different groups behind the attacks. The first attacks this year occurred in the summer, and the intensity of the attacks increases every month. Adversaries have already stolen data about hundreds of thousands of payment cards during large-scale operations, such as the compromise of the Shopper Approved plug-in, as well as attacks on the websites of the British Airways, broadcasting giant ABS-CBN and the California retailer Newegg. The attacks do not cease, and cybercriminals are constantly looking for new opportunities to inject card-skimming scripts into websites of organizations that process payments online. ArcSight with the Web Application Security Framework rule pack can minimize risks related to attacks on your publicly accessible Web applications: