Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites

Threat actors have been exploiting a critical vulnerability in Magento, injecting a persistent backdoor into e-commerce websites. The attack exploits CVE-2024-20720 (CVSS score: 9.1), characterized by Adobe as improper neutralization of special elements, potentially leading to arbitrary code execution. Adobe addressed this issue with security updates released on February 13, 2024.

Sansec discovered a meticulously designed layout template in the database, automatically injecting malicious code to execute arbitrary commands. Attackers utilize the Magento layout parser along with the beberlei/assert package, enabling system command execution. This malicious code execution occurs whenever <store>/checkout/cart is requested, as the layout block is linked to the checkout cart.

The command used is sed, inserting a code execution backdoor. This backdoor then deploys a Stripe payment skimmer to capture and transmit financial data to another compromised Magento store.

This development coincides with the Russian government charging six individuals for using skimmer malware to pilfer credit card and payment information from foreign e-commerce platforms since late 2017. The suspects, Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev, were arrested approximately a year ago, according to court documents cited by Recorded Future News.

The Prosecutor General's Office of the Russian Federation stated that the hacker group unlawfully obtained information on nearly 160 thousand payment cards belonging to foreign nationals, subsequently selling them on underground internet platforms.