FBI warns hackers are planting card skimmers on online stores running a vulnerable Magento plugin

FBI warns hackers are planting card skimmers on online stores running a vulnerable Magento plugin

ZDNet reports that the FBI has issued a “flash alert” warning that hackers are planting Magecart-style payment card-skimming code on Magento-powered online stores running an out-of-date plugin.

According to the alert, cybercriminals were able to infect an unnamed US ecommerce website with a Javascript code that could steal payment card data and personal information entered by shoppers as they attempted to purchase items.

Sneakily, the attackers exfiltrated the sensitive data (which included the payment card number, the card holder’s name, card expiry date, security code, as well as the purchaser’s address, email address, telephone number, and physical address) encoded within a JPG image file.

Skimming code
A decoded snippet of the card-skimming code.

The attack was carried out after the exploitation of the CVE-2017-7391 XSS vulnerability in version 0.7.22 of the Magento Mass Import (MAGMI) plugin.

That vulnerability was discovered in 2017, but disappointingly there are clearly online stores still using the unsafe version of the MAGMI plugin on their Magento-powered store.

As ZDNet points out, updating to the patched version 0.7.23 of the MAGMI plugin is a good idea, but not a long term solution. That’s because the MAGMI plugin only works on websites powered by Magento 1.x, which is due to reach its end of life at the end of next month.

Sign up to our free newsletter.
Security news, advice, and tips.

In short, if you want to keep your online store secure you should not just be updating the MAGMI plugin, but also looking at how you’re going to upgrade to Magento version 2.x from Adobe if you want to continue to receive security updates for the ecommerce platform.

The Coronavirus pandemic must be proving a boon to online criminals who are trying to skim credit card details from unsuspecting online purchasers, for a number of reasons:

  • Many businesses, faced with an inability to sell products face-to-face, have scurried to build an ecommerce site, or dusted off online presences that were not promoted to before, and not enough care may have been taken to ensure that they are updated and secure.
  • Other businesses, with their IT teams based at home rather than the office, may have neglected the security of their websites.
  • More people than ever are buying goods online that they might have normally preferred to purchase in “real life.”

Stay safe folks, and if you’re running a website that requests sensitive information from the public please do ensure that it is properly updated with the latest security patches.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “FBI warns hackers are planting card skimmers on online stores running a vulnerable Magento plugin”

  1. Dave in Denver

    How do I, as a customer, or potential customer, determine uf a site is safe?

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.