Sites Infected with Magecart Malware Reinfected Multiple Times
NEWS

Sites Infected with Magecart Malware Reinfected Multiple Times

You may think that you’re safe after you’ve removed the malware from your infected online Magento store. However, it turns out that the infamous Magecart malware, known for harvesting credit card details from checkout forms, re-infects even after clean-up.




The researcher behind these findings is Willem de Groot who recently unearthed the most successful skimming campaign, driven by the MagentoCore skimmer. Back in September, the skimmer had already infected 7,339 Magento stores for a period of 6 months, thus becoming the most aggressive campaign discovered by researchers.

The same researcher is the developer of the MageReport, an online malware and vulnerability scanner for online stores. According to de Groot, in the last quarter, 1 out of 5 breached stores were infected (and cleaned) multiple times, some even up to 18 times.

Related:
MagentoCore has already infected 7,339 Magento stores in the last 6 months, thus becoming the most aggressive campaign discovered by researchers.
MagentoCore: the Most Aggressive Skimmer Infects 60 Stores per Day

At Least 40,000 Magecart-Like Infections Discovered in 3 Years

The researcher has tracked infections similar to Magecart on at least 40,000 domains for the past three years. His latest findings indicate that during August, September and October, the MageReport scanner came across Magecart skimmers on more than 5,400 domains. Some of these infections turned out to be quite persistent, spending up to 12.7 days on infected domains.

In most cases, however, website admins successfully removed the malicious code. Still, the number of re-infected sites is still quite big – 21.3 percent, with a large number of reinfections taking place within the first day or within a week. The average period for a reinfection was estimated at 10.5 days.

What is the reason for the reinfections? As explained by de Groot, there are several reasons accounting for the repeated malware cases:

There are multiple reasons for the reinfections:

  • The operators of Magecart often drop backdoor on hacked stores and create rogue admin accounts.
  • The malware operators use efficient reinfection mechanisms such as database triggers and hidden periodic tasks.
  • The operators also use obfuscation techniques to mask their code.
  • The operators often use zero-day exploits to hack vulnerable sites.
Related:
The Magecart criminal collective has successfully infiltrated the Newegg site and stole the stored payment card details stored by the company's customers
Magecart Hackers Stole Customers Payment Card Data from Newegg

In September, the Magecart operators have made another major hit, infiltrating the secure servers of the popular Newegg site. All entered data in the period between August 14 and September 18 this year was affected. Both desktop and mobile customers were affected by the breach.

Statistics revealed that the site has more than 50 million visitors. The fact that the digital skimmer code was available for a significant period of time gives security researchers reasons to believe that millions of customers were potentially affected.

In February 2017, the same researcher analyzed a piece of another evolved Magento malware which was

Researchers have discovered and analyzed a new strain of malware capable of preserving itself for a long period of time. Magento websites are targeted.
capable of self-healing. This process was possible thanks to hidden code in the targeted website’s database.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...