Attacking Magento 1 ecommerce platform

Industry: Ecommerce | Level: Strategic | Source: Sansec

An excess of 500 eCommerce platforms has suffered a data breach as attackers take advantage of an end-of-life eCommerce platform, Magento 1. The compromise to these eCommerce platforms was identified by Sansec and their investigation found, "attackers used a clever combination of an SQL injection (SQLi) and PHP Object Injection (POI) attack to gain control of the Magento store." The domain naturalfreshmall[.]com was identified in all attacks, to load the malicious payment skimmers. The attackers also took advantage of a known leak in the Quickview plugin to add a validation rule to the "customer_eav_attribute' table, resulting in the creation of a malicious PHP backdoor. The final step in the process involved having to register as a new customer, "Magento actually needs to unserialize the data. And there is the cleverness of this attack: by using the validation rules for new customers, the attacker can trigger an unserializer by simply browsing the Magento sign up page."