Sansec research

Sansec specializes in digital skimming. We are often “first at the scene” to investigate high profile breaches and publish regularly about our discovery of new attack vectors.

Sansec reveals longest Magecart skimming operation to date [Analysis]

Sansec, a global leader in eCommerce security, reveals that hackers successfully infiltrated an online printing platform for more than two and a half years. Our research shows that crooks ran keylo...

Indonesian Magecart hackers arrested

The Indonesian police announced on Friday that they have arrested three alleged Magecart hackers on December 20th. The suspects are from Jakarta and Yogyakarta and are 23, 26 and 35 years old. Afte...

Payment skimmers target Sansec

Payment skimmers are hiding their malpractice by impersonating our Sansec anti-skimming service. They have registered malicious domains sansec.us and sanguinelab.net, even using a fake address in A...

Vendor of Magento (security) extensions compromised

The store of a US Magento extension vendor was found compromised. Attackers had write access to the server selling extensions. We are awaiting a statement on the integrity of downloaded software. ...

You had 16 hours to patch Magento 2

The number of hacked Magento 2 stores spiked in the last four weeks, after a critical security flaw was discovered in March and criminals stole admin passwords within 16 hours. Merchants are advise...

Polymorphic skimmer targets 57 payment gateways

Sansec discovered a polymorphic skimmer that works with 57 different payment gateways. It has global reach, affecting payment systems from Germany to Brazil. It is by far the most advanced skimmer ...

Bad extensions now main source of Magento hacks: a solution!

In October last year I discovered several Magento extension 0days. As it turns out, this was only the tip of the iceberg: today, insecure 3rd party extensions are used to hack into thousands of sto...

MySQL client allows MySQL server to request any local file

This week I discovered that large ecommerce and government sites got hacked via the Adminer database tool. As it turns out, the root cause is a protocol flaw in MySQL. Curiously, it is described in...

Adminer leaks passwords; Magecart hackers rejoice

Update 2019-01-20: the root cause is a protocol flaw in MySQL. Adminer is a popular PHP tool to administer MySQL and PostgreSQL databases. However, it can be lured to disclose arbitrary files. Att...

Advanced sabotage among competing Magecart factions

Skimmers found to subtly sabotage each others fraud operations Competition is grim in the online skimming business (aka “MageCart”). The aggressive MagentoCore skimmer was previously observed to...

Merchants struggle with MageCart reinfections

1 in 5 compromised merchants get reinfected, average skimming operation lasts 13 days MageCart, the notorious actors behind massive online card skimming, has been busy. And so have we: our crawler...

Backdoor found in Webgility

Update Nov 23rd: Webgility has released a patch and a public statement, urging all customers to upgrade to version 345. Update Nov 30th: Webgility has discovered another security issue and urges...

Multiple 0days used by Magecart

Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it tur...

CSU store hacked right before election

The store of German political party CSU (www.csu-shop.de) contains an identity skimmer that was planted on or before Oct 5th, right before the Bavarian election on Oct 14th. Personal identifyable...

MageCart: now with tripwire

Back in 2016, Magecart skimmers would evade detection by sleeping if any developer tools were found running. Then, their malware would 404 without correct Referer or User-Agent header. And now, M...

A Google Analytics thief uncovered

Would you - a webdeveloper - get alarmed if you found the following code on your website? Probably not, as Google Analytics is embedded in pretty much every website these days: <script type="te...

MagentoCore skimmer most aggressive to date

A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date. Update 2018-09-07: Because Google ...

Hackers breached Magento through helpdesk

Magento merchants have recently received messages like this: Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – [email protected] Upon closer ...

Cryptojacking found on 2496 online stores

Does your laptop get hot when visiting your favorite shop? You computer is likely mining cryptocurrencies to the benefit of a cyberthief. Cryptojacking - running crypto mining software in the br...

Why ordering HTTP headers is important

If you code against Akamai hosted sites, you could be rejected because your HTTP library sends request headers in the wrong order. In fact, most libraries use undefined order, as the IETF specifica...

Warning: fake Magento patch 9789 contains virus

Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798. Update Apr 22nd: added reference to Neutrino Bot and POS systems This week a mail was sent out to announce the...

A Magento breach analysis (part 1)

Part of a series where Magento security professionals share their case notes, so that we can ultimately distill a set of best practices, tools and workflow. Part of the job of running the MageRe...

An OpenCart/Magento hacking dashboard

This post shows how sophisticated Magento hacking operations have become nowadays. While investigating a bruteforced Magento store, we noticed that the hacker logged in using a curious referrer si...

Self-healing malware discovered

Regular Javascript-based malware is normally injected in the static header or footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware. But ...

Visbot malware found on 6691 stores [analysis]

Visbot does what you would expect from any self-respecting malware: steal customer data and credit cards (aka skimming). And it is not even new: the first case was documented as early as March 20...

5900 online stores found skimming [analysis]

Update Dec 1st: already 2300 stores have been fixed! Thanks to everybody who tirelessly notified and fixed stores. Online card skimming is up 69% since Nov 2015 Multiple groups involved M...

Widespread credit card hijacking discovered

Criminals have secretly rewired 3,500 online stores to continuously harvest credit card numbers. The fraud can be traced back as far as May 12th 2015, so if you have bought something at one of thes...

Stay ahead of eCommerce hacks,
protect your store today!

Sansec forensic experts were the first to document digital skimming in 2015. Since then, we have investigated thousands of hacked stores. Our research of the latest attack vectors protects our customers around the world. Our anti-skimming technology and data are used by merchants, forensic investigators, financial anti-fraud teams and service providers

Try our malware scanner