Hackers take over online stores and steal customers' payment card details by exploiting a three-year-old vulnerability in an FBI-based Magento plugin. This type of attack is known as web skimming or Magecart and in October of last year, the FBI issued a similar warning regarding an increase in these types of attacks. As reported by ZDNet, the attackers exploit a vulnerability, identified as CVE-2019-7391, in the MAGMI (Magento Mass Import) plugin for Magento-based online stores in this latest campaign. The vulnerability is a cross-site scripting (XSS) flaw that allows an attacker to script malicious code within the HTML code of an online store. According to the FBI, hackers exploit this vulnerability to steal environmental credentials from online stores running Magento, which they then use to take complete control of the targeted sites.
MAGMI plugin vulnerability
Once an attacker has access to a site running the vulnerable plugin, it blocks web shells for future access and begins modifying the site's PHP and JavaScript files with malicious code that stores customer payment details. The data of this payment card is encoded in Base64 format, hidden in a JPEG file and sent to the hackers' server. The malicious server used by the hackers behind this latest campaign is used by the cybercrime service Inter, which leases the infrastructure to low-skilled hacking groups so they can start web skimming operations. Updating the MAGMI plugin to version 0.7.23 is highly recommended for online stores using the plugin, as this fixes the XSS bug that hackers use to access stores in the first place. Unfortunately, the plugin only works for older versions of Magento stores running the 1.x branch which should come to an end in June. The FBI flash alert also contains Indicators of Compromise (IOCs) that Magento users can implement inside their web application firewalls to prevent attacks on their sites. via ZDNet