A security researcher has recently discovered a dangerous flaw in there is a dangerous payment skimming malware that has been stealing thousands from the users.
The malware dubbed as MagentoCore has been affecting the e-commerce sites that are using Magento software. The malware was installed in more than 7,339 online stores in the last six months and has been affecting more than 50 new websites a day.
How does it work?
The malware is executing the brute-force attacks that are trying to crack the admin panel password. Once the password is cracked the malware injects a malicious piece of code to the HTML which records all the keystrokes from the customers and sends it back to the hacker’s main server.
This data consists of usernames, passwords, credit card information and personal details. Besides this, there is a recovery mechanism that deleted the malicious code after it has executed. The researchers analyzed more than 220,000 websites and 4,2% of them were already leaking user data.
Ankush Johar, Director at Infosec Ventures said, “This is a reality check for administrators that even the tiniest negligence can lead to a massive disaster. Other organizations must take this as a lesson and make sure proper policies are implemented well across their infrastructure and more importantly is regularly audited. Moreover, even with all security checks in place, it’s extremely important to make sure that the proper alarm bells are in place, so that, even if cybercriminals find a way through, which they eventually will, it doesn’t take months for your SoC to even discover the breach. Preventing post exploitation is as important as avoiding a breach because it’s not about if you will get hacked, it about when and how quickly will you be able to mitigate”
Best security practices for system admins:
Proper auditing of source code: System admins are advised to conduct proper auditing of source code and look out for any unexpected line of code that wasn’t supposed to be there. Use version control and monitoring services to get notified the moment a file on the server changes. This will help you in making sure no one else is injecting code into your websites.
Monitor access to your web server: Use proper Intrusion Detection Systems (IDS) and Log monitoring services to constantly track the kind of access your server is granting to users.
Regular security auditing + VAPT: Its highly advised that the web admins carry out proper auditing and Vulnerability Assessment & Penetration Testing(VAPT) exercises to close as many loopholes as possible so that it isn’t extremely easy to hack your servers and web applications to upload malicious miners/malwares.
DDoS and Intrusion Prevention Systems: Deploy trusted DDoS prevention services to discourage attackers carrying brute force attacks and use IPS to block common attacks which will help in preventing exploitation even if a vulnerability has slipped past VAPT processes.