Magento e-commerce websites are now at risk as the ‘Magento Killer’ makes its debut. This rightly-named malicious script is geared up to take over Magento online stores to steal customers’ payment information.
‘Magento Killer’ Is Preying On Magento E-Stores
According to a blog post by Sucuri, a malicious script was found attacking Magento websites. Named ‘Magento Killer’, the script lets the attacker gain access to the targeted Magento e-store to steal information.
As explained, in the initial phase, this malicious PHP script allows the attacker to modify the core database using SQL queries.
During the initial stages of the attack, the bad actor uses special SQL queries encoded in base64.
Furthermore, it uses two objects, Update DB (Savecc), and Update PP (MailPP), within the $ConfKiller variable’s array to steal payment data from the targeted Magento website. In case of attack, the object Update DB configures the website to save credit card data to the server, rather than transmitting it to the destined payment processor. Whereas, the other object, Update PP, lets the attacker place its own account to the website rather than the actual PayPal merchant business account.
Magento allows saving of customers’ credit card data in encrypted form. In the case of the Magento Killer attack, this protection seems no good. The attacker can pilfer the encryption key from the ./app/etc/local.xml Magento file and can obtain the stored credit card details in plain text.
Consequently, any payments made by a customer on a compromised Magento eCommerce website will only end up reaching the hands of the attackers. Moreover, the customer also unknowingly shares payment details with the attackers, thus welcoming more cyber attacks.
More About Magento Killer…
As discovered, the attackers behind the Magento Killer script seem dedicated to continuing their malicious activities in more advanced forms. Perhaps, that is why their attack strategy doesn’t end up at getting credit card details. Instead, they have also created another variable array that they use in their SQL Queries to meddle with Magento databases. The intention is to steal the customers’ personal information for more precise attacks in the future. Thus, the array listing provides the attackers with to the point customer data from the Magento databases customer_entity and newsletter_subscriber.
Considering the popularity of Magento, it is imperative Magento site owners vigilantly monitor their websites for possible compromise, since such kinds of attacks can lead to devastating situations. This is particularly plausible if we recall the massive hacking attack on Magento websites earlier this year.
Take your time to comment on this article.
