Threat actors have once again targeted the Magento platform. The purpose of the campaign is planting payment card skimmers on online stores. According to security researcher Willem de Groot, at least 20 Magento extensions have been abused due to a number of unpatched zero-day vulnerabilities.
This is not the first time Groot uncovers serious Magento issues. In September, the researcher uncoveredthe most successful skimming campaign, revolving around the MagentoCore skimmer. The skimmer has already infected 7,339 Magento stores in the last 6 months, thus becoming the most aggressive campaign discovered until now.
2 out of 20 Magento Vulnerable Extensions Identified
As for the current case, de Groot has successfully identified 2 of the 20 extensions and is seeking help from fellow researchers to uncover the rest. This is needed so that the zero-day flaws are patched. The good news is that he has provided a series of URL paths that have been exploited to compromise online stores running the vulnerable extensions.
It appears that Magento replaced most of the vulnerable functions by json_decode() in patch 8788. Unfortunately, many of its popular extensions did not, the researcher noted in his post. As explained by Yonathan Klijnsma, a researcher at RisqIQ and one of the experts who has been helping de Groot, “core platforms tend to be pretty good, it’s just the plugins that keep messing up”.
The two identified extensions are the Webcooking_SimpleBundle Magento extension and TBT_Rewards. The developer of the first extensions has already released a fix. The second one, however, appears to have been abandoned a while ago. So, any online store which has this extension installed should immediately get rid of it.