Quote:One of the largest known Magecart campaigns to date took place over the weekend, with nearly 2,000 e-commerce sites hacked in an automated campaign that may be linked to a zero-day exploit. The attacks have impacted tens of thousands of customers, who had their credit-card and other information stolen, researchers said.
 
According to Sansec Threat Intelligence, online stores running Magento versions 1 and 2 are being targeted in a classic Magecart attack pattern, where e-commerce sites are hacked, either via a common vulnerability or stolen credentials. If a compromise is successful, merchant websites are then injected with a web skimmer, which surreptitiously exfiltrates personal and banking information entered by customers during the online checkout process.
 
The firm’s telemetry picked up “1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page,” the firm said in a posting on Monday. “On Friday, 10 stores got infected, then 1058 on Saturday, 603 on Sunday and 233 today….Most stores were running Magento version 1, which was announced end-of-life last June. However, some stores were running Magento 2.”

In delving into the campaign, Sansec researchers were able to determine that many victimized stores had no prior history of security incidents; and, they speculated that the attacks may be linked to a $5,000 Magento exploit that went up for sale in August in underground forums. The zero-day allows a brand-new avenue to gaining server (write) access to fully patched websites.