Attackers try to compromise Magento with a fake patch

Attackers are still trying to find Magento installations that haven’t patched a particularly bad vulnerability, this time trying to trick people into downloading a fake patch.

The bogus patch purports to fix a flaw known as the Shoplift Bug, or SUPEE-5344, wrote Denis Sinegubko, a senior malware researcher with Sucuri.

“While the patch was released February 2015, many sites unfortunately did not update,” he wrote. “This gave hackers an opportunity to compromise thousands of Magento powered online stores.”

Magento, which is owned by Permira, is one of the most popular e-commerce and content management platforms. It’s used by companies including Nike, Olympus and Ghirardelli Chocolate.

The Shoplift Bug is a remote code execution vulnerability. If exploited, it can give attackers administrative access to an e-commerce store. At that point, a range of bad outcomes are possible.

Other fraudulent administrator accounts can be create or other malware installed. Sinegubko wrote hackers appended JavaScript to certain files that stripped out payment card information or modified PHP files to collect payment information during processing.

“Regardless of technique employed, the results were the same; customer credit card information was being stolen and siphoned off to the hackers,” he wrote.

Even nine months after Magento patched the Shoplift Bug, a rash of new infections was detected that delivered the Neutrino exploit kit. In those instances, compromised Magento sites pulled content from a malicious domain that tried to deliver malware to victims using Neutrino.

The vulnerable Magento versions are CE prior to 1.9.1.1 and EE prior to 1.14.2.0.

Sinegubko recommended that Magento admins ensure they’re using the latest version, change passwords, investigate admin accounts and monitor the integrity of Magento’s files.