Overview of eCommerce hacks & vulnerabilities
Sansec specializes in digital skimming. We are often “first at the scene” to investigate high profile breaches and publish regularly about our discovery of new attack vectors.
Postponed Exfiltration Evades Detection
The domain gtag-analytics.com has recently emerged as a threat, employing various cunning techniques to evade detection and targeting unsuspecting users, but what makes it especially deceptive is i...
Sansec analysis: 12% of online stores leak private backups
Sansec discovered that one in nine online stores accidentally expose private backups. This mistake could have dire consequences. Online criminals are actively scanning for these backups, as they ...
Vendors defeat Magento security patch (+ simple check)
Magento and Adobe Commerce stores around the world have been hammered with Trojan Order attacks this winter. And even if you have patched or installed Adobe’s 2.4.4 release, you may still be vulner...
Adobe Commerce merchants to be hit with TrojanOrders this season
At least seven Magecart groups are injecting TrojanOrders at approximately 38% of Magento and Adobe Commerce websites in November. After a quiet summer, the number of attacks targeting the mail te...
Extortion of Magento merchants
Sansec has received reports of criminals trying to extort Magento merchants with the message below. As long as the sender does not produce evidence, they almost certainly did not steal your sensiti...
Surge in Magento 2 template attacks
The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In ...
Magento vendor Fishpig hacked, backdoors added
Fishpig, a vendor of popular Magento-Wordpress integrations, has been hacked. Sansec found that attackers have injected malware in Fishpig software and taken control of Fishpig servers. Online stor...
Magento 2 critical vulnerability (CVE-2022-24086 & CVE-2022-24087)
Update Feb 21st, 2022: Sansec has observed the first actual attacks in the wild. Patch now! Unfortunately, this validates our previous prediction that abuse would start within days. Attacks are com...
NaturalFreshMall: a Vulnerable Magento Extension and a Mass Hack
An investigative report by Sansec researchers on how one vulnerable Magento extension leads to a mass web store attack, with Magecart attackers using naturalfreshmall.com to hide and serve malware ...
NginRAT parasite targets Nginx
A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. The parasite is used to steal ...
CronRAT malware hides behind February 31st
In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed with never-seen stealth techniques. This malware, dubbed “CronRAT”, hides in the Linux calendar system on Febr...
New linux_avp malware hits eCommerce sites
Sansec discovered a new malicious agent “linux_avp” that hides as system process on eCommerce servers. It is being deployed around the world since last week and takes commands from a control server...
Case Study: How eCommerce Hackers Silently Steal Credit Card Data
The majority of online stores have never been hacked and, as a result, take a somewhat lax approach to cybersecurity. However, no less than 20% of all online stores get hacked every year, which mea...
Google Apps Script used to steal data
The Google business application platform Apps Script is used to funnel stolen personal data, Sansec learned. Attackers use the reputation of the trusted Google domain script.google.com to evade mal...
Fake payment page before checkout on Shopify and BigCommerce
A new type of web skimmer was found on a dozen stores hosted on Shopify, BigCommerce, Zen Cart and WooCommerce. Hosted (SaaS) ecommerce platforms like BigCommerce and Shopify do not allow custom J...
eCommerce trojan accidentally leaks victims
Sansec discovered a clever remote access trojan (RAT) that has been hiding in the alleys of hacked eCommerce servers. Despite the advanced setup, perpetrators mistakenly left a list of victim store...
Persistent parasite in EOL Magento 2
Over the last months, hackers have quietly added a subtle security flaw to over 50 large online stores, only to exploit them right before Black Friday, Sansec research shows. The flaw’s presence wo...
Payment skimmer hides in social media buttons
Researchers at Sansec have uncovered a novel technique to inject payment skimmers onto checkout pages. This new malware has two parts: a concealed payload and a decoder, of which the latter reads t...
Cardbleed: 3% of Magento install base hacked
Update Sept 18: Cardbleed has infected 2806 Magento1 stores so far (3% of total install base) Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the larges...
North Korea found skimming US shoppers
North Korean state sponsored hackers are implicated in the interception of online payments from American and European shoppers, Sansec research shows. Hackers associated with the APT Lazarus/HIDDEN...
Digital skimmer runs entirely on Google, defeats CSP
A newly discovered skimming campaign runs entirely on Google servers, Sansec research shows. The novel malware sends stolen credit cards directly to Google Analytics, evading security controls like...
Sansec reveals longest Magecart skimming operation to date [Analysis]
Sansec, a global leader in eCommerce security, reveals that hackers successfully infiltrated an online printing platform for more than two and a half years. Our research shows that crooks ran keylo...
Indonesian Magecart hackers arrested
The Indonesian police announced on Friday that they have arrested three alleged Magecart hackers on December 20th. The suspects are from Jakarta and Yogyakarta and are 23, 26 and 35 years old. Afte...
Payment skimmers have impersonated Sansec
Payment skimmers are hiding their malpractice by impersonating our Sansec anti-skimming service. They have registered malicious domains sansec.us and sanguinelab.net, even using a fake address in A...
Magento security extentions vendor got hacked
The store of a US Magento extension vendor was found compromised. Attackers had write access to the server selling extensions. We are awaiting a statement on the integrity of downloaded software. ...
Critical Magento 2 flaw exploited within 16 hours
The number of hacked Magento 2 stores spiked in the last four weeks, after a critical security flaw was discovered in March and criminals stole admin passwords within 16 hours. Merchants are advise...
57 payment gateways from Germany to Brazil targeted
Sansec discovered a polymorphic skimmer that works with 57 different payment gateways. It has global reach, affecting payment systems from Germany to Brazil. It is by far the most advanced skimmer ...
Bad extensions now main source of Magento hacks: a solution!
In October last year I discovered several Magento extension 0days. As it turns out, this was only the tip of the iceberg: today, insecure 3rd party extensions are used to hack into thousands of sto...
Large sites hacked via Adminer database tool
This week I discovered that large ecommerce and government sites got hacked via the Adminer database tool. As it turns out, the root cause is a protocol flaw in MySQL. Curiously, it is described in...
PHP tool 'Adminer' leaks passwords
Update 2019-01-20: the root cause is a protocol flaw in MySQL. Adminer is a popular PHP tool to administer MySQL and PostgreSQL databases. However, it can be lured to disclose arbitrary files. Att...
Competing digital skimmers sabotage each other
Skimmers found to subtly sabotage each others fraud operations Competition is grim in the online skimming business (aka “MageCart”). The aggressive MagentoCore skimmer was previously observed to...
Merchants struggle with MageCart reinfections
1 in 5 compromised merchants get reinfected, average skimming operation lasts 13 days MageCart, the notorious actors behind massive online card skimming, has been busy. And so have we: our crawler...
Backdoor found in Webgility
Update Nov 23rd: Webgility has released a patch and a public statement, urging all customers to upgrade to version 345. Update Nov 30th: Webgility has discovered another security issue and urges...
Unpublished security flaws (0days) massively exploited
Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it tur...
German political party store hacked before election
The store of German political party CSU (www.csu-shop.de) contains an identity skimmer that was planted on or before Oct 5th, right before the Bavarian election on Oct 14th. Personal identifyable...
MageCart: now with tripwire
Back in 2016, Magecart skimmers would evade detection by sleeping if any developer tools were found running. Then, their malware would 404 without correct Referer or User-Agent header. And now, M...
Is your Google Analytics code malicious?
Would you - a webdeveloper - get alarmed if you found the following code on your website? Probably not, as Google Analytics is embedded in pretty much every website these days: <script type="te...
MagentoCore group hacks 7,339 stores and counting
A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date. Update 2018-09-07: Because Google Ch...
Hackers breached Magento through helpdesk
Magento merchants have recently received messages like this: Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – [email protected] Upon closer ...
Cryptojacking found on 2496 online stores
Does your laptop get hot when visiting your favorite shop? You computer is likely mining cryptocurrencies to the benefit of a cyberthief. Cryptojacking - running crypto mining software in the br...
Why ordering HTTP headers is important
If you code against Akamai hosted sites, you could be rejected because your HTTP library sends request headers in the wrong order. In fact, most libraries use undefined order, as the IETF specifica...
Warning: fake Magento patch 9789 contains virus
Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798. Update Apr 22nd: added reference to Neutrino Bot and POS systems This week a mail was sent out to announce the...
A Magento breach analysis: part 1
Part of a series where Magento security professionals share their case notes, so that we can ultimately distill a set of best practices, tools and workflow. Part of the job of running the MageRe...
An OpenCart/Magento hacking dashboard
This post shows how sophisticated Magento hacking operations have become nowadays. While investigating a bruteforced Magento store, we noticed that the hacker logged in using a curious referrer si...
Self-healing malware restores itself after deletion
Regular Javascript-based malware is normally injected in the static header or footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware. But ...
Visbot malware found on 6691 stores [analysis]
Visbot is one of the oldest Magecart payment skimmers: it steals customer data and credit cards. The first case was documented as early as March 2015. But being publicly discussed did not stop it...
'Our store is safe because we use https'
Update Dec 1st: already 2300 stores have been fixed! Thanks to everybody who tirelessly notified and fixed stores. Online card skimming is up 69% since Nov 2015 Multiple groups involved M...
Criminals have rewired 3,500 online stores
Criminals have secretly rewired 3,500 online stores to continuously harvest credit card numbers. The fraud can be traced back as far as May 12th 2015, so if you have bought something at one of thes...
Hackers get smarter every day.
Outsmart them with eComscan.
eComscan is the automated backend security scanner that keeps your online store safe from attackers. Discover vulnerabilities and malicious activity instantly.
Sansec experts study dozens of hacks every day to keep you protected. Sansec is the only company specializing in Magento security and is a proud Adobe partner.