You may think that you’re safe after you’ve removed the malware from your infected online Magento store. However, it turns out that the infamous Magecart malware, known for harvesting credit card details from checkout forms, re-infects even after clean-up.
The researcher behind these findings is Willem de Groot who recently unearthed the most successful skimming campaign, driven by the MagentoCore skimmer. Back in September, the skimmer had already infected 7,339 Magento stores for a period of 6 months, thus becoming the most aggressive campaign discovered by researchers.
The same researcher is the developer of the MageReport, an online malware and vulnerability scanner for online stores. According to de Groot, in the last quarter, 1 out of 5 breached stores were infected (and cleaned) multiple times, some even up to 18 times.
At Least 40,000 Magecart-Like Infections Discovered in 3 Years
The researcher has tracked infections similar to Magecart on at least 40,000 domains for the past three years. His latest findings indicate that during August, September and October, the MageReport scanner came across Magecart skimmers on more than 5,400 domains. Some of these infections turned out to be quite persistent, spending up to 12.7 days on infected domains.
In most cases, however, website admins successfully removed the malicious code. Still, the number of re-infected sites is still quite big – 21.3 percent, with a large number of reinfections taking place within the first day or within a week. The average period for a reinfection was estimated at 10.5 days.
What is the reason for the reinfections? As explained by de Groot, there are several reasons accounting for the repeated malware cases:
There are multiple reasons for the reinfections:
- The operators of Magecart often drop backdoor on hacked stores and create rogue admin accounts.
- The malware operators use efficient reinfection mechanisms such as database triggers and hidden periodic tasks.
- The operators also use obfuscation techniques to mask their code.
- The operators often use zero-day exploits to hack vulnerable sites.
In September, the Magecart operators have made another major hit, infiltrating the secure servers of the popular Newegg site. All entered data in the period between August 14 and September 18 this year was affected. Both desktop and mobile customers were affected by the breach.
Statistics revealed that the site has more than 50 million visitors. The fact that the digital skimmer code was available for a significant period of time gives security researchers reasons to believe that millions of customers were potentially affected.
In February 2017, the same researcher analyzed a piece of another evolved Magento malware which was