14 DAY TRIAL // Over 3,500 Magento online stores are currently infected with a server-side hosted key-logging system that steals credit card details and sends them to various third-party servers.
The campaign, according to Dutch Web hosting company Byte.nl, goes back to last spring, with first signs having been spotted on April 28 and May 12.
As per the company's Magento specialist Willem de Groot, it appears that the campaign relies on a piece of JavaScript code that hackers saved inside the database of infected Magento stores.
This snippet of code gets loaded with checkout pages, and using a clever mechanism, the malicious code logs all data typed into payment forms, just as the user enters it.
This data is then silently sent via AJAX to a few locations online, with most of the information reaching a PHP file hosted on the ownsafety.org domain (how ironic!).
The malicious campaign is active only on Magento sites, for now
Mr. de Groot claims that store owners that left their Magento shops unpatched are to blame for this infection. He also notes that, while Magento stores are currently exploited, the campaign is CMS-agnostic and could very well be adapted to other shopping platforms without difficulty.
Since this malicious attack does not alter any kind of user interface element on the checkout page, users cannot do anything to detect or protect their data.
Magento store owners are urged to verify if their checkout pages include the malicious code detailed by Mr. de Groot. Store owners should also update their Magento platform to the most recent version.
Byte.nl has contacted the Dutch Cyber Security Center, and together they are in the process of taking down the servers where the credit card data is collected.
"The high number of compromised stores implies extensive automation in discovery and exploitation," says Mr. de Groot. "This is not the work of script kiddies."
