Recently a Dutch security blogger and researcher Willem de Groot has found out that Ecommerce Websites which are using Magento Software have been hit by a dangerous payment skimming malware that has been stealing thousands from the users. The malware is termed as MagentoCore and affecting the Ecommerce sites that are using Magento.

How many online stores are affected?

In last six months, the skimmer was installed in more than 7,339 online stores and it’s been affecting more than 50 new websites each day.

Willem de Groot said “The victim list contains multi-million dollar, publicly exchanged companies, which suggests the malware operators make a handsome profit. But the real sufferers are eventually the customers, who have their card and identity stolen,”

How does the malware work?

This malware uses the brute-force attack which means it tries to guess the password of the Magento Admin Panel for months and once the access is obtained then the software will inject a malicious piece of code to the HTML and from them all the keystrokes from the customers on the website are recodes and later the data is sent back to the hacker’s main server. This data is collection of usernames, passwords, credit card information and personal details. In addition to this, there is also a recovery mechanism which deleted the code when it has run.

Groot has analyzed more than 220,000 websites and 4,2% of them were already leaking user data.

What you can do?

If you are store owner and found the MagentoCore.net skimmer in your store then you must ask your ops team or forensic investigator to do the below listed things.

1. Search for Entry point: you need to analyse the first question that “how could attackers gain unauthorized access? Look for backend logs, correlate with staff IP’s and track their working hours. If you come across any suspicious activity from staff IP’s then it could be that a staff computer is infected with malware, or that the attacker has hijacked an authorized session.

2. Check any backdoors and unauthorized changes in your database. You might find few in both frontend/backend code and the database.

3. As soon as you discover all means of unauthorized access make sure to close them all at once.

4. Eliminate the skimmer, backdoors and other code and if possible then go back to a certified safe copy of the code base. Malware is often hidden in default HTML header/footers and also in minimized, static Javascript files so you should check all HTML/JS assets that are loaded during the checkout process.

5. A good start will be to execute secure procedures which cover timely patches, strong staff passwords and so on.