Thousands of sites using this popular ecommerce platforms hit by hack
2,000 sites using Magento were attacked over the weekend
Thousands of online stores around the world have been hit by a major cybersecurity attack due to using outdated and unprotected ecommerce software.
Almost 2,000 stores using the Magento ecommerce platform were affected in what security researchers described as the "largest documented campaign to date".
The attack was described by researchers at Sansec, which uncovered the campaign, as, "a typical Magecart attack" where injected malicious code looked to intercept the payment information of unsuspecting customers.
- Check out the best money transfer apps and services
- This is the best shopping cart software around
- Here's the top credit card processing options to take payments online.
Sansec notes that the affected stores were found to be running Magento version 1, which was announced as reaching its end-of-life in June 2020, but is still used by around 95,000 stores worldwide.
The company detected 1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page, far larger than any other recorded attack since 2015, when it first began monitoring the software.
Sansec added that many of the affected stores had no prior history of security incidents, suggesting that a new attack method had been used to gain server (write) access. It noted that a Magento 1 0day (exploit) had been put up for sale on a hacking forum for $5000 a few weeks ago.
The company is working with the affected stores, and has made a complete list of compromised stores available to law enforcement agencies.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
This is not the first time that Magento software has been flagged as a security risk recently. Back in May 2020, the FBI flagged that hackers were taking over online stores and stealing customers' payment card data by exploiting a three-year-old vulnerability in a Magento plugin.
Adding to the seriousness of the situation is the lack of PCI, or Payment Card Industry Data Security Standard compliance, which online traders need to be in line with.
Some payment providers have said they will no longer support merchants still on Magento 1, past EOL, however others have stated customers need to switch to Magento 2, meaning many retailers are still confused about the level of support they have.
- We've also highlighted the best antivirus software around
Via ZDNet
Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.