More than 2,000 Magento online stores were hacked over the weekend in what security researchers have dubbed the “greatest campaign of all time”.
The attacks were a typical Magecart scheme, where hackers breached websites and then injected malicious scripts into the stores̵
“10 stores were infected on Friday, 1.058 on Saturday, 603 on Sunday and 233 today,” said Willem de Groot, founder of Sanguine Security (SanSec), a Dutch cyber security company that specializes in tracking Magecart attacks.
“This automated campaign is by far the largest that Sansec has identified since monitoring began in 2015,” added de Groot. “The previous record was 962 stores hacked in a single day last July.”
Most stores had an EOL version
The SanSec manager stated that most of the vulnerable websites were running version 1.x of the Magento online store software.
This Magento version reached the end of its useful life (EOL) on June 30, 2020 and is currently no longer receiving any security updates.
Ironically, attacks on websites with the now outdated Magento 1.x software have been expected since last year when Adobe – owned by Magento – issued the first warning in November 2019 that store owners need to upgrade to the 2.x branch.
Adobe’s initial warning of impending attacks on Magento 1.x stores was later repeated in similar security advisories from Mastercard and Visa in the spring.
In our coverage of the Mastercard and Visa warnings, several experts from the web security community told this reporter that no new Magento 1.x vulnerabilities had been discovered for some time, which was not characteristic as the 1.x -Branch was old and was full of security holes.
At the time, these security experts believed that hackers were deliberately sitting on top of their Magento 1.x exploits, waiting for the EOL to show up to make sure Adobe didn’t fix their bugs.
It seems these experts were right.
While de Groot has not yet identified how hackers broke into the websites targeted over the weekend, the SanSec founder stated that last month there were ads for a zero-day vulnerability in Magento 1.x in underground hacking -Forums were published, confirming this. Hackers had been waiting for the EOL to come by.
A user named z3r0day offered to sell a Remote Code Execution (RCE) exploit for $ 5,000, an offer that was considered credible at the time.
The good news is that since November 2019, when Adobe asked Magento owners to migrate to the newer office, the number of Magento 1.x stores has dropped from 240,000 to 110,000 in June 2020 and to 95,000 today.
The pace is slow, but it is believed that many of the stores that have not been updated are most likely to be abandoned and have very little user traffic. However, some high-traffic sites continue to run the 1.x branch and use web application firewalls (WAFs) to stop attacks.
This is a risky strategy that, while PCI compliant, is not a wise decision in the long run.
In related news, Adobe also announced last week that it has partnered with SanSec to integrate the security company’s database with more than 9,000 Magento malware signatures as part of the Magento backend Security scan Tool.