2024-06-27T08:33:17Z https://sansec.io/ Sansec info@sansec.io https://sansec.io/research/widespread-credit-card-hijacking-discovered 2015-11-17T00:00:00Z Criminals have secretly rewired 3,500 online stores to continuously harvest credit card numbers. The fraud can be traced back as far as May 12th 2015, so if you have bought something at one of thes... https://sansec.io/research/visbot-malware-on-6691-stores-analysis 2016-12-01T00:00:00Z Visbot is one of the oldest Magecart payment skimmers: it steals customer data and credit cards. The first case was documented as early as March 2015. But being publicly discussed did not stop it ... https://sansec.io/research/triggered-malware 2017-02-14T00:00:00Z Regular Javascript-based malware is normally injected in the static header or footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware. But n... https://sansec.io/research/magento-bruteforce-dashboard 2017-04-07T00:00:00Z This post shows how sophisticated Magento hacking operations have become nowadays.While investigating a bruteforced Magento store, we noticed that the hacker logged in using a curious referrer sit... https://sansec.io/research/magento-breach-analysis 2017-04-12T00:00:00Z Part of a series where Magento security professionals share their case notes, so that we can ultimately distill a set of best practices, tools and workflow.Part of the job of running the MageRepo... https://sansec.io/research/fake-magento-patch-9789-is-virus 2017-04-21T00:00:00Z Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798.Update Apr 22nd: added reference to Neutrino Bot and POS systemsThis week a mail was sent out to announce the n... https://sansec.io/research/http-header-order-is-important 2017-05-02T00:00:00Z If you code against Akamai hosted sites, you could be rejected because your HTTP library sends request headers in the wrong order. In fact, most libraries use undefined order, as the IETF specifica... https://sansec.io/research/cryptojacking-found-on-2496-stores 2017-11-07T00:00:00Z Does your laptop get hot when visiting your favorite shop? You computer is likely mining cryptocurrencies to the benefit of a cyberthief.Cryptojacking - running crypto mining software in the brow... https://sansec.io/research/hackers-breach-magento-through-helpdesk 2017-12-28T00:00:00Z Magento merchants have recently received messages like this:Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! -- knockers@yahoo.comUpon closer exa... https://sansec.io/research/magentocore.net-skimmer-most-aggressive-to-date 2018-08-30T00:00:00Z A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date.Update 2018-09-07: Because Google Chr... https://sansec.io/research/fake-google-analytics-malware 2018-09-06T00:00:00Z Would you - a webdeveloper - get alarmed if you found the following code on your website? Probably not, as Google Analytics is embedded in pretty much every website these days:<script type=&quo... https://sansec.io/research/abs-cbn.com-hacked 2018-09-18T00:00:00Z While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. We found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet de... https://sansec.io/research/magecart-tripwire 2018-10-04T00:00:00Z Back in 2016, Magecart skimmers would evade detection by sleeping if any developer tools were found running. Then, their malware would 404 without correct Referer or User-Agent header. And now, Ma... https://sansec.io/research/csu-shop-magecarted 2018-10-15T00:00:00Z The store of German political party CSU (www.csu-shop.de) contains an identity skimmer that was planted on or before Oct 5th, right before the Bavarian election on Oct 14th. Personal identifyable ... https://sansec.io/research/magecart-extension-0days 2018-10-23T00:00:00Z Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turn... https://sansec.io/research/webgility-backdoor 2018-10-30T00:00:00Z Update Nov 23rd: Webgility has released a patch and a public statement, urging all customers to upgrade to version 345.Update Nov 30th: Webgility has discovered another security issue and urges a... https://sansec.io/research/merchants-struggle-with-magecart-reinfections 2018-11-12T00:00:00Z 1 in 5 compromised merchants get reinfected, average skimming operation lasts 13 daysMageCart, the notorious actors behind massive online card skimming, has been busy. And so have we: our crawlers... https://sansec.io/research/warring-magecart-factions 2018-11-20T00:00:00Z Skimmers found to subtly sabotage each others fraud operations.Competition is grim in the online skimming business (aka "MageCart"). The aggressive MagentoCore skimmer was previously ob... https://sansec.io/research/adminer-4.6.2-file-disclosure-vulnerability 2019-01-17T00:00:00Z Update 2019-01-20: the root cause is a protocol flaw in MySQL.Adminer is a popular PHP tool to administer MySQL and PostgreSQL databases. However, it can be lured to disclose arbitrary files. Atta... https://sansec.io/research/sites-hacked-via-mysql-protocal-flaw 2019-01-20T00:00:00Z This week I discovered that large ecommerce and government sites got hacked via the Adminer database tool. As it turns out, the root cause is a protocol flaw in MySQL. Curiously, it is described in... https://sansec.io/research/magento-module-blacklist 2019-01-29T00:00:00Z In October last year I discovered several Magento extension 0days. As it turns out, this was only the tip of the iceberg: today, insecure 3rd party extensions are used to hack into thousands of sto... https://sansec.io/research/atlanta-hawks-magecart 2019-04-24T00:00:00Z MageCart attacks on online stores surged last year, culminating in the hack of British Airways and Ticketmaster. This year the trend continues with another high-profile target. The Atlanta Hawks sh... https://sansec.io/research/polymorphic-skimmer-57-payment-gateways 2019-04-29T00:00:00Z Sansec discovered a polymorphic skimmer that works with 57 different payment gateways. It has global reach, affecting payment systems from Germany to Brazil. It is by far the most advanced skimmer ... https://sansec.io/research/puma-magecart 2019-04-29T00:00:00Z After the NBA Hawks got skimmed last week, this time Puma's Australian customers are cannon fodder for Magecart thieves. Anyone who ordered a pair of sneakers online, had their name, address and cr... https://sansec.io/research/magento-2-hacks 2019-05-10T00:00:00Z The number of hacked Magento 2 stores spiked in the last four weeks, after a critical security flaw was discovered in March and criminals stole admin passwords within 16 hours. Merchants are advise... https://sansec.io/research/pci-rhisac-use-sansec-research 2019-08-01T00:00:00Z The PCI Security Standards Council and the Retail & Hospitality ISAC alert merchants to the threat of digital skimming. In its report, it quotes Sansec research, which has found that about 20% ... https://sansec.io/research/sansec-europol-training-payment-fraud 2019-08-12T00:00:00Z Cementing itself as a global force in the protection against eCommerce fraud, Sansec has been invited to speak at the fifth edition of Europol’s Training Course on Payment Card Fraud Forensic Inves... https://sansec.io/research/fbi-urges-malware-protection 2019-08-17T00:00:00Z The FBI warns small and medium-sized businesses and government agencies against the threat of e-skimming. E-skimming occurs when cyber criminals inject malicious code onto a website.Read the origi... https://sansec.io/research/magento-plugin-vendor-compromised 2019-10-07T00:00:00Z The store of a US Magento extension vendor was found compromised. Attackers had write access to the server selling extensions. We are awaiting a statement on the integrity of downloaded software.O... https://sansec.io/research/american-cancer-society-magecart 2019-10-25T00:00:00Z Digital skimming groups (aka Magecart) hit another low, as they successfully targeted the American Cancer Society last night. Our skimmer detectors found a piece of malicious code embedded on the C... https://sansec.io/research/magecart-hackers-target-sanguine 2019-12-02T00:00:00Z Payment skimmers are hiding their malpractice by impersonating our Sansec anti-skimming service. They have registered malicious domains sansec.us and sanguinelab.net, even using a fake address in A... https://sansec.io/research/magecart-hackers-arrested 2020-01-25T00:00:00Z The Indonesian police announced on Friday that they have arrested three alleged Magecart hackers on December 20th. The suspects are from Jakarta and Yogyakarta and are 23, 26 and 35 years old. Afte... https://sansec.io/research/sanguine-maxcluster-partnership 2020-02-20T00:00:00Z Utrecht, February 20; Sansec is proud to announce that it hasformed a long-term strategic partnership with maxcluster to bring itsindustry-leading anti-malware technology to the German e-commerce... https://sansec.io/research/longest-skimming-operation-yet 2020-02-25T00:00:00Z Sansec, a global leader in eCommerce security, reveals that hackers successfully infiltrated an online printing platform for more than two and a half years. Our research shows that crooks ran keylo... https://sansec.io/research/magento-1-pci-compliance 2020-05-08T00:00:00Z Magento 1 will no longer receive official updates & security fixes per July 1st, 2020 (the end-of-life, or EOL date). Merchants are urged to upgrade to Magento 2, but for many stores this deadl... https://sansec.io/research/magento-1-beyond-june 2020-05-28T00:00:00Z Over a 100 thousands Magento 1 stores will be running after Adobe terminates support in June (end-of-life). Many merchants need more time to transition to Magento 2 or another platform. No need to ... https://sansec.io/research/magecart-corona-lockdown 2020-06-15T00:00:00Z While an international retail chain closed its physical stores, attackers hacked its online presence, Sansec research shows. Following common Magecart malpractice, payment skimmers were injected an... https://sansec.io/research/skimming-google-defeats-csp 2020-06-22T00:00:00Z A newly discovered skimming campaign runs entirely on Google servers, Sansec research shows. The novel malware sends stolen credit cards directly to Google Analytics, evading security controls like... https://sansec.io/research/north-korea-magecart 2020-07-06T00:00:00Z Previously, North Korean hacking activity was mostly restricted to banks and South Korean crypto markets^cryptohack, covert cyber operations that earned hackers $2 billion, according to a 2019 Unit... https://sansec.io/research/cardbleed 2020-09-14T00:00:00Z Update Sept 18: Cardbleed has infected 2806 Magento1 stores so far (3% of total install base)Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the larges... https://sansec.io/research/svg-malware 2020-11-26T00:00:00Z Researchers at Sansec have uncovered a novel technique to inject payment skimmers onto checkout pages. This new malware has two parts: a concealed payload and a decoder, of which the latter reads t... https://sansec.io/research/magento-2-persistent-parasite 2020-12-02T00:00:00Z The affected stores were all running the older Magento 2.2, which is unsupported since December 2019.In addition to the injected flaw, attackers used a hybrid skimming architecture, with front and... https://sansec.io/research/ecommerce-rat-leaks-victims 2020-12-18T00:00:00Z Sansec discovered a clever remote access trojan (RAT) that has been hiding in the alleys of hacked eCommerce servers. Despite the advanced setup, perpetrators mistakenly left a list of victim store... https://sansec.io/research/skimmer-dynamic-exfiltration-shopify-bigcommerce 2020-12-24T00:00:00Z Once the data is intercepted and exfiltrated, the attackers display an error message and the customer is redirected to the real payment page. Customers probably just enter their details again and i... https://sansec.io/research/google-apps-script 2021-02-18T00:00:00Z The Google business application platform Apps Script is used to funnel stolen personal data, Sansec learned. Attackers use the reputation of the trusted Google domain script.google.com to evade mal... https://sansec.io/research/how-magento-hackers-silently-steal-credit-card-data 2021-05-03T00:00:00Z This is what happened to one of our clients. Due to his attentiveness - and a bit of luck! - this merchant noticed some abnormalities in his store’s code. He wasn’t using our malware scanning techn... https://sansec.io/research/ecommerce-malware-linux-avp 2021-11-18T00:00:00Z A merchant recently reached out to us, after hiring two forensic companies but still having malware on his store. As we appreciate a challenge, our team got started and quickly discovered an intric... https://sansec.io/research/cronrat 2021-11-24T00:00:00Z At this time of year we typically see a surge in eCommerce attacks and new malware. Last week we analyzed a clever malware attacking online stores, and today we expose another, much more sophistica... https://sansec.io/research/nginrat 2021-12-01T00:00:00Z Last week we exposed the CronRAT eCommerce malware, which is controlled by a Chinese server. Out of curiosity, we wrote a "custom" RAT client and waited for commands from the far east. Ev... https://sansec.io/research/magento-log4j-log4shell 2021-12-13T00:00:00Z Updated Dec 20th. This article describes how Magento is affected by the critical log4j vulnerability, and what you can (and should) do to prevent a hack.A critical vulnerability in the popular Log... https://sansec.io/research/naturalfreshmall-mass-hack 2022-02-08T00:00:00Z More than 350 ecommerce stores infected with malware in a single day.Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the ... https://sansec.io/research/magento-2-cve-2022-24086 2022-02-14T00:00:00Z Update Feb 21st, 2022: Sansec has observed the first actual attacks in the wild. Patch now! Unfortunately, this validates our previous prediction that abuse would start within days. Attacks are com... https://sansec.io/research/rekoobe-fishpig-magento 2022-09-13T00:00:00Z Update 2022-09-13 FishPig has confirmed the incident and published a status page. It recommends customers to upgrade and/or reinstall all FishPig modules.Sansec discovered malware in the Fishpig ... https://sansec.io/research/magento-2-template-attacks 2022-09-22T00:00:00Z Currently, Sansec eComscan is the only malware scanner that detects the injected remote access trojan (see Virustotal).223sam.jpg attackAll of the observed attacks have been interactive, possibly... https://sansec.io/research/extortion-magento-bitcoin 2022-11-07T00:00:00Z Related: many stores are occassionally contacted by "security researchers" who claim to have found a vulnerability and want a "bounty" to disclose it. In 99% of these cases, the... https://sansec.io/research/trojanorder-magento 2022-11-15T00:00:00Z After a quiet summer, the number of attacks targeting the mail template vulnerability in Magento 2 and Adobe Commerce is rising fast. Merchants and developers should be on the lookout for TrojanOrd... https://sansec.io/research/fake-klaviyo-accounts-added-to-magento 2022-12-21T00:00:00Z Magento 2 template hacks have been raging since a month or two, and Sansec is closely tracking any new attack payloads. So far, we observed about 20 different payloads which all added a basic PHP b... https://sansec.io/research/vendors-defeat-magento-security-patch-simple-check 2023-01-17T00:00:00Z BackgroundAdobe’s fix to CVE-2022-24086 was to remove “smart” mail templates. Many vendors were caught off guard and had to revert to the original functionality. In doing so, they unknowingly expo... https://sansec.io/research/sansec-analysis-12-of-online-stores-leak-private-backups 2023-02-07T00:00:00Z It is a common practice to make ad-hoc backups during store platform maintenance. The problem, however, is that these backups often end up in a public folder. Perhaps the administrator intended to ... https://sansec.io/research/postponed-exfiltration-evades-detection 2023-05-09T00:00:00Z The domain gtag-analytics.com has recently emerged as a threat, employing various cunning techniques to evade detection and targeting unsuspecting users, but what makes it especially deceptive is i... https://sansec.io/research/malware-persistence-via-telegram-and-github 2023-08-22T00:00:00Z Attackers are devising ingenious methods to prolong their skimming activities, aiming for sustained persistence.The usual tactics, techniques, and procedures (TTP) include the creation of disposab... https://sansec.io/research/is-your-stores-newsletter-being-used-for-phishing 2023-11-10T00:00:00Z Cybercriminals in eCommerce are diversifying their targets, now aiming at entire customer databases instead of just stealing credit cards. A recent incident revealed this trend: a hacked Magento ad... https://sansec.io/research/magento-wish-list-exploits 2023-12-18T00:00:00Z In recent weeks, Sansec observed a spike in hacked Magento 2 stores. Our investigations led to a (likely) single attacker, who used a combination of clever techniques to bypass WAFs and competing t... https://sansec.io/research/europol-sansec-action 2024-01-09T00:00:00Z In a strategic alliance, Europol, the European Union Agency for Cybersecurity (ENISA), law enforcement from 17 nations, and key private sector entities such as Sansec, have aligned to counteract th... https://sansec.io/research/virustotal-sansec 2024-03-08T00:00:00Z In January we announced our partnership with Europol and today, we are proud to be recognized by Google as experts in eCommerce security.Sansec and Google have agreed on a data exchange and we tru... https://sansec.io/research/magento-xml-backdoor 2024-04-04T00:00:00Z The following XML code was found in the layout_update database table and is responsible for periodic reinfections of your system.Attackers combine the Magento layout parser with the beberlei/asse... https://sansec.io/research/cosmicsting-unpatched 2024-06-18T00:00:00Z Update June 27th: Adobe has now provided an official, isolated fix that can be applied to installations without requiring upgrade.Update June 27th: our partner Hypernode as actually observed the ... https://sansec.io/research/polyfill-supply-chain-attack 2024-06-25T00:00:00Z Update June 28th: We are flagging more domains that have been used by the same actor to spread malware since at least June 2023: bootcdn.net, bootcss.com, staticfile.net, staticfile.org, unionad... https://sansec.io/research/cosmicsting-hitting-major-stores 2024-07-12T00:00:00Z API AbuseAs CosmicSting enables attackers to read any file, attackers can steal Magento's secret encryption key. This encryption key can generate JSON Web Tokens with full administrative API acces... https://sansec.io/research/cosmicsting-cnext-persistent-backdoor 2024-08-27T00:00:00Z CosmicSting (CVE-2024-34102) allows arbitrary file reading on unpatched systems. When combined with CNEXT (CVE-2024-2961), threat actors can escalate to remote code execution, taking over the entir... https://sansec.io/research/cosmicsting 2024-09-16T00:00:00Z ImplicationsCosmicSting targets a critical bug in the Adobe Commerce and Magento platforms. Bad actors use it to read any of your files, such as passwords and other secrets. The typical attack str... https://sansec.io/research/cosmicsting-fallout 2024-10-01T00:00:00Z Sansec research shows that seven different groups have been hacking into 4275 online stores since the publication of CVE-2024-34102 (also known as CosmicSting) on June 11th. Despite ongoing warning... https://sansec.io/research/google-services-abused-skimming-campaigns 2024-12-31T00:00:00Z Google TranslateAttackers are using Google Translate’s page functionality to execute malicious JavaScript files, as demonstrated below:<script src="https://translate.google.co.in/translat... https://sansec.io/research/client-side-security 2025-02-03T00:00:00Z Merchants spend millions of dollars on client-side security solutions to prevent digital skimming attacks. Companies are rushing to implement these tools, often driven by PCI requirements. But here... https://sansec.io/research/magento-apsb25-08 2025-02-12T00:00:00Z APSB25-08 released on Feb 11th, 2025Critical Adobe Commerce/Magento security patches have just been released (CVSS 9.4/10)New versions: 2.4.4-p12, 2.4.5-p11, 2.4.6-p9, 2.4.7-p4, additionally 2.4.... https://sansec.io/research/pci-dss-update-2025 2025-03-06T00:00:00Z It's insanity that we still don't have clarity(Clean_Anteater992)They have to be kidding me (sawer82)It's clusterf after clusterf (andrew_barratt)The Payment Card Industry Security Stan... https://sansec.io/research/csp-usage-2025 2025-03-17T00:00:00Z The new PCI-DSS regulations that will come into effect after March 31st, 2025, require merchants to monitor scripts on their payment pages to prevent digital skimming attacks*. The use of Conte... https://sansec.io/research/gsocket 2025-04-03T00:00:00Z The Sansec Shield WAF detected mass scans for "defunct.dat" and "qfile" files this week. As it turns out, these files contain connection keys that can be used to launch a GSocke... https://sansec.io/research/license-backdoor 2025-05-01T00:00:00Z Hundreds of stores, including a $40 billion multinational, are running backdoored versions of popular ecommerce software. We found that the backdoor is actively used since at least April 20th. Sans... https://sansec.io/research/magento-menu-bar-hack 2025-06-12T00:00:00Z Adobe has just released several security fixes for its Commerce (Magento) platform and one of them is critical (CVE-2025-47110). Adobe urges merchants to patch within 72 hours (highest priority).S... https://sansec.io/research/sessionreaper 2025-09-08T00:00:00Z October 22nd: mass SessionReaper attacks have startedIn August 2025, a critical (CVSS 9.1) flaw was discovered in all versions of Adobe Commerce and Magento. The bug, named "SessionReaper&q... https://sansec.io/research/sessionreaper-exploitation 2025-10-22T00:00:00Z Six weeks after Adobe's emergency patch for SessionReaper (CVE-2025-54236), the vulnerability has entered active exploitation. Sansec Shield detected and blocked the first real-world attacks today,... https://sansec.io/research/mgt-varnish-critical-vulnerability 2025-12-15T00:00:00Z NameMgt_VarnishVulnerable1.0.10 and earlierFixed in1.1.0Sansec researchers discovered a critical vulnerability in the popular Varnish module for Magento. This module, develope... https://sansec.io/research/connectpos-github-token-exposure 2026-01-12T00:00:00Z Sansec researchers discovered that ConnectPOS, a popular Point of Sale solution, had been exposing a GitHub Personal Access Token (PAT) in their public installation instructions for over four years... https://sansec.io/research/keylogger-major-us-bank-employees 2026-01-15T00:00:00Z Update Jan 15th: the malware appears to have been removed. It was live for about 18 hoursSansec detected a keylogger on the employee store of one of America's largest banks. The site serves over 2... https://sansec.io/research/security-txt-trillion-dollar-problem 2026-01-16T00:00:00Z Yesterday, Sansec discovered an active keylogger at an external site of one of America's largest banks. The malware was harvesting private information from over 200,000 potential victims. We detect... https://sansec.io/research/claude-finds-353-zero-days-packagist 2026-01-22T00:00:00Z Open source ecosystems have a long tail security problem. Python, Ruby, Javascript, PHP: these ecosystems have millions of packages. The top 100 packages get scrutinized. The next 5,000, not so muc... https://sansec.io/research/yargo 2026-02-18T00:00:00Z YARA is the industry standard for pattern matching in malware detection. Maintained by VirusTotal, it powers threat detection at nearly every security vendor. At Sansec, we rely on YARA for eComsca... https://sansec.io/research/global-retailer-prestashop-hacked 2026-02-20T00:00:00Z The affected company, with about €100 billion in annual revenue and over 10,000 stores across 25 countries, runs some of its ecommerce operations on the PrestaShop platform. As of publication, the ...