Getty Images

Magecart malware menaces Magento merchants

Sansec researchers say as many as 38% of commercial customers running the Adobe Commerce and Magento platforms could be infected with Magecart's TrojanOrders malware.

An outbreak of Magecart attacks has experts warning administrators to patch their Magento and Adobe Commerce installations immediately.

Researchers at ecommerce security vendor Sansec report that as many as 38% of all retail websites running the two vendor platforms are already infected with TrojanOrders, which generates malicious orders that deliver a remote access Trojan into vulnerable Magento instances. Magecart, a loose collective of cybercriminal groups that specializes in "skimming" attacks and payment card theft, is behind the attacks.

"Merchants and developers should be on the lookout for TrojanOrders: orders that exploit a critical vulnerability in Magento stores," the Sansec threat research team explained in a research post.

"The trend in recent weeks paints a grim picture for ecommerce DevOps teams worldwide for the coming weeks."

The vulnerability in question is CVE-2022-24086, an arbitrary code execution vulnerability related to improper input validation. The flaw, which was disclosed in February, was rated as a critical security risk with a CVSS score of 9.8.

Both the Adobe Commerce Platform and the open source Magento builds are affected. Adobe released a fix for the issue in February, but as Magento and Adobe Commerce are unlikely to be top patching priorities for enterprises, many installations are likely to still be exposed to attack. Sansec said it estimated that at least a third of all Magento and Adobe Commerce stores remain vulnerable.

Cybercriminals appear to be acutely aware of that fact: Sansec estimated that as many as seven different malware groups are actively targeting the vulnerability and infecting it with exploit kits that sell at anywhere from $20,000 to 30,000 apiece.

In exchange, the criminals get a reliable way to infect commerce sites and harvest the payment card data of customers.

"If a group becomes more successful, the number of attacks will start to rise," Sansec said. "Every extra website hacked brings in extra credit cards, extra payments or extra private data."

What's more, Sansec noted that the attacks arrive on the brink of what is the prime season both for online retailers and cybercriminals. With the peak of the holiday shopping season about to hit, e-commerce sites will see a surge in traffic and any active TrojanOrders infections will be able to harvest a bumper crop of payment card details, which can then be resold to fraudsters.

To that end, Sansec is recommending that all administrators make sure their installations of both Adobe Commerce and Magento are up to date. However, with as many as 38% of installations already compromised, it would also be wise to keep an eye out for suspicious transactions, the vendor said.

"The first visible sign is a suspicious new customer record or transaction," Sansec said. "Seeing customers pop up with names or addresses like system or pwd."

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing