What Happened

In a widespread cyber attack, nearly 100 e-commerce websites using the Magento platform were compromised by threat actors using a unique credit card skimming method. The campaign, first detected in September 2023, involves hiding credit card-stealing scripts within a pixel-sized Scalable Vector Graphics (SVG) image, making the malicious code difficult to detect by traditional security tools. The attack vector exploits the older and unsupported Magento 1 installations, which many businesses continue to utilize despite their end-of-life status.

The malicious operation was initially uncovered by cybersecurity firm Sucuri when a routine audit revealed unauthorized and stealthy JavaScript code embedded within SVG files across multiple customer sites. These SVG files, typically benign and used for graphical purposes, now serve as a vessel for exfiltrating sensitive credit card information.

Technical Details

The attackers leverage the deprecated nature of Magento 1, which no longer receives security updates, making it an attractive target. This campaign does not use any new CVEs but exploits the vulnerabilities inherent in outdated software versions. The attack progresses through a multi-stage infection process that begins with the insertion of a malicious SVG file. The code within this file executes upon web page initialization, capturing credit card data entered by customers and transmitting it to command and control (C2) servers controlled by the attackers.

Indicators of Compromise (IOCs) include unfamiliar SVG files located within the website’s media directories and the presence of obfuscated JavaScript code in unexpected places. Website owners may also observe anomalies in web traffic patterns, particularly elevated outbound traffic corresponding to data exfiltration events.

Impact

The scope of the attack affects close to 100 online stores, primarily those still running on Magento 1. The exfiltration of credit card data poses severe financial risks to these businesses, leading to potential fraudulent transactions and eroding customer trust. For consumers, the breach compromises sensitive personal and financial information, leading to further downstream impacts such as identity theft and financial loss.

Businesses using deprecated systems like Magento 1 are directly at risk, highlighting the imperative need for diligent upkeep of e-commerce infrastructure. The ripple effects could deter consumers from engaging with smaller businesses perceived as less secure, influencing broader market dynamics.

What To Do

  • **Immediate Actions: **

    • Audit and remove unauthorized SVG files and suspicious JavaScript within your web directories.
    • Monitor network traffic for signs of data exfiltration and report anomalies to your IT security team.

  • **Long-term Solutions: **

    • Migrate from deprecated Magento 1 to its latest, supported versions or alternative platforms with robust security features.
    • Implement comprehensive web application firewalls (WAFs) to detect and block suspicious activities, such as unauthorized file access or script execution.
    • Regularly update and patch all e-commerce and CMS systems to reduce vulnerabilities.

Consumers affected by this issue should remain vigilant by monitoring their financial statements and considering enrollment in credit monitoring services to detect unauthorized transactions early. For businesses, the path to recovery involves both technical remediation and restoring consumer confidence through transparent communication regarding security measures undertaken to prevent future breaches.

Related: