From the beginning
According to Sanguine Security (Sansec), over 2,000 Magento 1 sites were attacked to steal credit card details with an automated skimming script.
On September 11, ten stores were infected with a unique credit card skimming script, which ramped up the next day with 1,058 sites hacked, 603 more on September 13, and an additional 233 on September 14 in a classic Magecart attack pattern.
The attackers used the Magento Connect feature to download and install several malicious files, including a backdoor called mysql.php, and automatically deleted these files when the code was added to prototype.js (Magento 1 sites) and jquery.js (Magento 2 sites).
The campaign started with a zero-day vulnerability sold on hacker forums by a threat actor named ‘z3r0day’ in August.
Magecart era
There has been an increment in the number of e-commerce sites targeted by Magecart and related groups in the past few months.
Magecart attackers were found using the encrypted messaging service Telegram as a data-exfiltration mechanism.
In July, attackers had targeted online stores of large U.S. retailers and organizations such as Technokain Solutions, Consumer Electronics Show, Consumer Technology and Association, Claire's, using the Magecart attack.
largest automated magento years