Hackers Injected Credit Card Skimmers to 500 Stores Running With Magento

On January 25, Sansec posted a tweet that nearly 300+ e-commerce stores were infected with malware. Sansec detected a massive data breach at 500 stores which were running on Magento 1. Magento is an open-source e-commerce platform provided by Adobe. 

All of the stores were affected with a payment skimmer which was loaded to them from naturalfreshmall.com. During the first investigation, Investigators found that the hackers used a clever combination of SQL Injection and PHP Object Injection attack to control the Magento stores.

POI Attack at Zend_Memory_Manager

Further investigations revealed that a known vulnerability in the Quickview plugin was used to abuse the systems which is usually used to inject rogue Magento admin users. But in this case, the attackers used this vulnerability to directly run code on the server. A clear explanation was given by Sansec on how this was possible. 

Initially, the attackers used the Quickview plugin vulnerability to add a validation rule to the customer_eav_attribute table

45.72.31.112 2022-01-28T15:11:59Z “GET /quickview/index/view/path/’);UPDATE%20customer_eav_attribute%20SET%20validate_rules=UNHEX(‘613a…d7d’)%20WHERE%20validate_rules=’a:2:%7Bs:15:%22max_text_length%22;i:255;s:15:%22min_text_length%22;i:1;%7D’; HTTP/1.1”

The PHP Object Injection is used for crafting a malicious object by the host application. In this attack, the Zend_Memory_Manager and Zend_CodeGenerator_Php_File are used for creating a file called api_1.php followed by a simple backdoor eval($_POST[‘z’]).

Sign Up Activates the Attack

For running the code, Magento need to unserialise the code. The attackers achieved this by using the validation rules set for new customers. By using the sign up page of Magento, the attacker unserialises the data which makes the code to run.

45.72.31.112    2022-01-28T15:12:02Z “GET /customer/account/create/ HTTP/1.1”

45.72.31.112    2022-01-28T15:12:08Z “GET /api_1.php HTTP/1.1”

The api_1.php which is controlled by the attacker is now able to run any PHP code.

During these attacks, the attacker left nearly 19 backdoors on the system which needs to be eliminated in order to prevent future attacks. Many files consisted of the malicious Magento code.

Sansec also posted a list of IP’s that were implicated during the attack

132.255.135.230 US 52485 networksdelmanana.com
132.255.135.51 US 52485 networksdelmanana.com
138.36.92.216 US 265645 HOSTINGFOREX S.A.
138.36.92.253 US 265645 HOSTINGFOREX S.A.
138.36.93.206 US 265645 HOSTINGFOREX S.A.
138.36.94.2 US 265645 HOSTINGFOREX S.A.
138.36.94.224 US 265645 HOSTINGFOREX S.A.
138.36.94.241 US 265645 HOSTINGFOREX S.A.
138.36.94.59 US 265645 HOSTINGFOREX S.A.
138.94.216.131 US 263744 Udasha S.A.
138.94.216.172 US 263744 Udasha S.A.
138.94.216.186 US 263744 Udasha S.A.
138.94.216.230 US 263744 Udasha S.A.
141.193.20.147 US 64249 ENDOFFICE
144.168.218.117 US 55286 SERVER-MANIA
144.168.218.136 US 55286 SERVER-MANIA
144.168.218.249 US 55286 SERVER-MANIA
144.168.218.70 US 55286 SERVER-MANIA
144.168.218.94 US 55286 SERVER-MANIA
144.168.221.92 US 55286 SERVER-MANIA
186.179.14.102 US 52393 Corporacion Dana S.A.
186.179.14.134 US 52393 Corporacion Dana S.A.
186.179.14.179 US 52393 Corporacion Dana S.A.
186.179.14.204 US 52393 Corporacion Dana S.A.
186.179.14.44 US 52393 Corporacion Dana S.A.
186.179.14.76 US 52393 Corporacion Dana S.A.
186.179.14.97 US 52393 Corporacion Dana S.A.
186.179.39.183 US 52393 Corporacion Dana S.A.
186.179.39.226 US 52393 Corporacion Dana S.A.
186.179.39.35 US 52393 Corporacion Dana S.A.
186.179.39.7 US 52393 Corporacion Dana S.A.
186.179.39.74 US 52393 Corporacion Dana S.A.
186.179.47.205 US 52393 Corporacion Dana S.A.
186.179.47.39 US 52393 Corporacion Dana S.A.
191.102.149.106 US 394474 WHITELABELCOLO393
191.102.149.197 US 394474 WHITELABELCOLO393
191.102.149.253 US 394474 WHITELABELCOLO393
191.102.163.202 US 394474 WHITELABELCOLO393
191.102.163.208 US 394474 WHITELABELCOLO393
191.102.163.7 US 394474 WHITELABELCOLO393
191.102.163.74 US 394474 WHITELABELCOLO393
191.102.170.173 US 394474 WHITELABELCOLO393
191.102.170.81 US 394474 WHITELABELCOLO393
191.102.174.128 US 394474 WHITELABELCOLO393
191.102.174.211 US 394474 WHITELABELCOLO393
191.102.174.239 US 394474 WHITELABELCOLO393
191.102.174.247 US 394474 WHITELABELCOLO393
191.102.174.52 US 394474 WHITELABELCOLO393
191.102.179.22 US 394474 WHITELABELCOLO393
191.102.179.31 US 394474 WHITELABELCOLO393
191.102.179.62 US 394474 WHITELABELCOLO393
192.198.123.164 US 55286 SERVER-MANIA
192.198.123.225 US 55286 SERVER-MANIA
192.198.123.226 US 55286 SERVER-MANIA
192.198.123.43 US 55286 SERVER-MANIA
192.241.67.128 US 55286 SERVER-MANIA
193.32.8.1 US 201814 Meverywhere sp. z o.o.
193.32.8.33 US 201814 Meverywhere sp. z o.o.
193.32.8.63 US 201814 Meverywhere sp. z o.o.
193.32.8.76 US 201814 Meverywhere sp. z o.o.
193.8.238.91 US 60781 LeaseWeb Netherlands B.V.
195.123.246.212 CZ 204957 ITL-Bulgaria Ltd.
198.245.77.132 US 55081 24SHELLS
198.245.77.217 US 55081 24SHELLS
198.245.77.253 US 55081 24SHELLS
206.127.242.99 US 201106 Spartan Host Ltd
209.127.104.174 US 55286 SERVER-MANIA
209.127.105.225 US 55286 SERVER-MANIA
209.127.105.73 US 55286 SERVER-MANIA
209.127.106.211 US 55286 SERVER-MANIA
209.127.106.44 US 55286 SERVER-MANIA
209.127.107.141 US 55286 SERVER-MANIA
209.127.107.169 US 55286 SERVER-MANIA
209.127.107.187 US 55286 SERVER-MANIA
209.127.109.138 US 55286 SERVER-MANIA
209.127.109.225 US 55286 SERVER-MANIA
209.127.109.87 US 55286 SERVER-MANIA
209.127.110.144 US 55286 SERVER-MANIA
209.127.110.177 US 55286 SERVER-MANIA
209.127.111.68 US 55286 SERVER-MANIA
209.127.111.99 US 55286 SERVER-MANIA
209.127.116.101 US 55286 SERVER-MANIA
209.127.116.167 US 55286 SERVER-MANIA
209.127.116.231 US 55286 SERVER-MANIA
209.127.117.214 US 55286 SERVER-MANIA
209.127.117.49 US 55286 SERVER-MANIA
209.127.118.136 US 55286 SERVER-MANIA
209.127.118.96 US 55286 SERVER-MANIA
209.127.172.15 US 55081 24SHELLS
209.127.172.60 US 55081 24SHELLS
209.127.172.99 US 55081 24SHELLS
209.127.173.13 US 55081 24SHELLS
209.127.173.154 US 55081 24SHELLS
209.127.173.215 US 55081 24SHELLS
209.127.174.177 US 55081 24SHELLS
209.127.175.113 US 55081 24SHELLS
209.127.97.6 US 55286 SERVER-MANIA
209.127.98.244 US 55286 SERVER-MANIA
209.127.98.81 US 55286 SERVER-MANIA
209.127.98.91 US 55286 SERVER-MANIA
209.127.99.16 US 55286 SERVER-MANIA
209.127.99.205 US 55286 SERVER-MANIA
217.170.207.111 NO 34989 ServeTheWorld AS
23.106.125.64 SG 59253 Leaseweb Asia Pacific pte. ltd.
45.72.112.143 US 55081 24SHELLS
45.72.18.133 US 55081 24SHELLS
45.72.18.234 US 55081 24SHELLS
45.72.18.236 US 55081 24SHELLS
45.72.31.112 US 55081 24SHELLS
45.72.85.178 US 55081 24SHELLS
45.72.86.142 US 55081 24SHELLS
45.72.86.201 US 55081 24SHELLS

Adobe is said to have stopped it’s updates and patches on Magento 1 but still many of the e-commerce platforms are relying on it. Hence it is recommended to update the Magento versions regularly from external patches.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.

Posted by Charlie