98,000 online shops are still exposed to attacks

Apr 24, 2015 07:39 GMT  ·  By

The technical details for a high-severity vulnerability in Magento ecommerce solution from eBay have emerged, but exploits have been seen in the wild before the researchers made available the steps for leveraging it.

The flaw is a combination of multiple security glitches that can lead to remote code execution, allowing an attacker to completely compromise online stores powered by Magento.

Security researchers at Check Point discovered the vulnerability (dubbed Shoplift) and reported it privately to Magento in January. Publishing the findings was delayed, in order to allow the development of a fix and its adoption by the clients.

Vulnerability is actively exploited

On February 9, Magento released an update (SUPEE-5344) that eliminated the issue, but tens of thousands of websites continue to remain vulnerable as administrators did not apply the update.

At the moment, active exploitation has been seen in the wild. The attacks come from two IP addresses (62.76.177.179 and 185.22.232.218) of machines located in Russia. Looking them up in the server logs shows if the website has been targeted by this particular group.

Another indication of compromise is the presence of “vpwq” and “defaultmanager,” usernames, which seem to be used by the group.

Researchers at Sucuri recovered one exploit (multiple groups use their own versions) and determined that at the moment these cybercriminals try to create an admin account via SQL injection, possibly for use in the future, says Daniel Cid, Sucuri CEO.

Attacks are expected to increase, admins urged to update Magento

Apart from allowing attackers to steal databases with sensitive payment and customer information, Shoplift can also be employed for purchasing products sold online at the price the attacker desires.

Check Point released a proof-of-concept video (available below), where they apply a fake coupon to a purchase to obtain a 100% discount for a watch costing around $100,000 / €92,000.

Now that the details of the exploit are public, the number of attacks against Magento-powered online shops is expected to increase.

Byte, a company in the Netherlands that hosts websites running Magento, announced on Thursday that their scans reported that 98,089 sites were running a faulty version of the online shopping platform.

Two days earlier, the company said that the number of vulnerable sites was close to 103,000, and in a few hours the number dropped by 4,000.  

Check Point demonstrates Shoplift: