There are criminals that are using vital vulnerability that was found on around 100,000 different eCommerce sites in a large wave attack that has put customers personal information at risk for theft.
This remote code-execution hole is in the enterprise and community editions of Magento, the number one management platform for eCommerce sites on the internet. The engineers from eBay, who happens to own the Magento platform, released a patch last February in order to close the vulnerabilities, but as of this week, there were still over 98,000 merchants who haven’t installed the patch, according to Byte, the company located in the Netherlands that hosts Magento websites. Because of this, there are consequences that are happening, as Chinese and Russian attackers are launching exploits that will let them gain full access to any vulnerable website.
Netanel Rubin, a vulnerability and malware researcher with Checkpoint, a security firm, stated that the recent vulnerability is actually a chain of various vulnerabilities that will allow any unauthenticated attacker to execute a PHP code within the web server. They will then be able to bypass all of the security mechanisms, gain control of the site and all of its databases, which will allow them to have administrative access to the entire system and even commit credit card theft.
Being your own eCommerce administrator
The attacks that have been observed by Sucuri and Incapsula have been using the bug to create a new administrator accounts inside the vulnerable Magento databases on these eCommerce websites. Sucuri has stated that the bug goes dormant, and then the attackers are able to access the database to take customers personal information.
Daniel Cid, the CTO for Sucuri, wrote about a recent attack on a blog that stated that the code is leveraging the SQLi and adding in a new admin_user to the databases. He went on to say that if you believed that your site was compromised, then look for defaultmanager and vpwq usernames, as these are the ones that are being used so far by this certain group of hackers.
Attacks from Russia and China
The attacks began recently with less than a thousand attempts against sites that were protected by Incapsula. They then peaked at 1,500 attempts and continued on at the same rate. Israel-based Checkpoint then released the technical details about this vulnerability. They first reported the issue to the eBay engineers in January. Since then, Checkpoint researchers have been telling everyone who uses Magento to install the update, since the patch became available in early February.
The attacks seem to be coming from the IP’s of 220.127.116.11 and 18.104.22.168, which are from Russia. Cid has stated that the web administrators who are concerned about their eCommerce sites should check their logs for these particular IP addresses.
Although, this isn’t fool proof. There are still attacks coming from various locations in China, according to Incapsula, which it wouldn’t be much of a surprise if the attacks were more widespread in the future.
Dangerous vulnerability of Magento
This vulnerability is now giving unauthorized attackers complete control of the vulnerable sites. This means that they are able to dump the databases in order to gain credit card information, phone numbers, home addresses, email addresses and other personal information.
Even when a site has properly encrypted a database, the attacker would still add hard to find scripts that are behind the scenes, and steal any sensitive customer information during a small window while its being processed in an unencrypted format.
The attackers would be able to use the vulnerability of Magento in order to set up traps on certain vulnerable sites with malware that would infect the computer of a site visitor.
This vulnerability could even be used to change the prices on the items that a site is selling. Checkpoint researchers have used the same vulnerability in order to gain a free luxury watch that is worth more than $100,000.