Over 1000 Magento stores hit with cryptominer & credential stealing malware

Share this…

Leastways 1,000 Magento based websites including shops have been targeted and infected with this malware, say the information security training researchers.

Threat analysis and cyber-security intelligence firm Flashpoint stated that cybercriminals have been targeting the open-source e-commerce platform Magento with malware since 2016. As a result, hundreds of e-commerce websites running via Magento have already been compromised by hackers to steal credit card numbers and install cryptocurrency miners.

magento 2

Magento has two versions one of which is open source while the other is a curated enterprise version. As is the norm with successful open source products, the enterprise version offers access to support and is exclusively maintained by Magento.

Websites run on Magento platform are compromised via brute-forcing. Hackers use common and already known credentials to compromise the website. According to information security training researchers’ findings, nearly 1,000 admin panels from Magento have been compromised so far. A majority of compromised Magento panels belong to firms in the education and healthcare sector while maximum targets were identified in the US and Europe.

Flashpoint researchers wrote that attacks that are launched using brute-force method are successful only when administrators fail to change the credentials after installing the platform. Hackers can easily create automated scripts using known credentials for facilitating panel access.

After gaining control of the site’s CMS admin panel, attackers can add any script of their choice. Hackers are also targeting other e-commerce processing CMS (content management systems) like Powerfront and OpenCarts too.


Information security training professionals identified that hackers inject malicious code into the core file to get access to payment data processing pages and post requests to the server containing sensitive data. When the compromised website is visited, the visitors get subjected to malware attacks. The site asks the visitor to update Adobe Flash Player software and when the user clicks on the provided link, malware is launched from servers. These infected servers are hosted on sites like GitHub.

Various malware is involved in this campaign; the first downloaded piece is the AZORult data-stealing software, which downloads other malware as well as the cryptominer. Data is then intercepted and transmitted to the hacker.

A similar method is used to install cryptominer. Attackers are looking to mine Rarog cryptocurrency in this particular campaign. It is also identified that the exploitation of Magento admin panels has continued on entry-level and at higher levels on Deep & Dark Web forums since 2016.

Attackers are updating the malicious files on a daily basis to evade detection. This daily updating makes it difficult for security software firms to detect the threat because frequent signature changes cannot be caught immediately.

GitHub is also helping attackers in avoiding detection as they can download and store new code easily. When an organization uploads the White List of safe sides, GitHub is bound to make an appearance. This allows malware downloads to evade blocking. Perhaps this is why attackers prefer to host their malicious codes on GitHub.

Information security training professionals has collaborated with law enforcement to inform victims of the breaches but it is suspected that the scope of the attack is pretty vast while researchers have managed to detect just a fraction of total compromised websites. Most of these sites got hacked by exploiting standard security loopholes.

Researchers have advised Magento admins to immediately revise CMS account credentials to mitigate brute-force attack threat. It is very important to replace old, weak passwords with new stronger ones as well as to enforce 2FA authentication. Besides, Magento employees should be provided with secure password managers while users should be barred from recycling old and used passwords.