This last weekend the largest hack campaign to date on Magento 1 stores took place. Nearly 2000 stores were targeted in a Magecart attack: injected malicious code would intercept the payment information of unsuspected store customers. Stores inspected by Sansec were found running Magento version 1, which was announced End-Of-Life in June of this year.

The Sansec early breach detection system, which monitors the global eCommerce space for security threats, detected 1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page. On Friday, 10 stores got infected, then 1058 on Saturday, 603 on Sunday and 233 on Monday.

Sansec has been monitoring this type of activity since 2015 and they’ve described it as the largest they’ve ever seen. The previous record was 962 hacked stores in a single day which happened in July last year.

This weekend’s incident highlights an increased sophistication and profitability of web skimming. Sansec has found that criminals have been increasingly automating their hacking operations to run web skimming schemes on as many stores as possible.

They’ve estimated that tens of thousands of customers had their private information stolen over the weekend via one of the compromised stores.


Magento Exploit Sold

Whilst their investigation is still ongoing, it appears that many victimised stores have no prior history of security incidents. It suggests that a new attack method was used to gain server (write) access to all these stores.

They believe this campaign might be related to a recent Magento 1 0day (exploit) that was put up for sale a few weeks ago.


What They Found

User z3r0day announced on a hacking forum the sale of a Magento 1 “remote code execution” exploit method, including an instruction video, for $5000.

It was alleged that no prior Magento admin account is required. Seller z3r0day stressed that – because Magento 1 is End-Of-Life – no official patches will be provided by Adobe to fix this bug, which renders this exploit extra damaging to store owners using the legacy platform.

In what was described as a deal sweetener, z3r0day pledged to only sell 10 copies of the dangerous exploit. Translated from Russian.

According to live Sansec data, some 95,000 Magento 1 stores are still operating as of today.


What to do now?

Some things can be done to mitigate the risk like using a malware and vulnerability scanner or finding third-party patch support, but there is really only one answer – you need to move to a platform that is ‘living’ and continues to provide security support.

For Magento 1 users, the obvious step is to migrate to Magento 2 Commerce or Magento 2 Open Source. This allows you to continue to work with a platform that feels familiar but benefit from the enhanced features and continued platform support from Adobe.


Eclipse is here to help

The good news is that we’re here to help you get secure and protect yourself from potential exploitations like the one that happened over the weekend, through taking advantage of gaps created by being end of life.

We’ve tailored a Magento solution for everyone, no matter where your start point in the market. It’s just about us getting together, discussing the options that will work best for your business and then working to get you accelerated toward success.

We have a history of both developing from new and re-platforming businesses with Magento. By working with us, you’re getting access to this experience and expertise.

Reach out to us and let’s start talking about how we can get your site moved and more secure.