Attackers Install E-Skimmers Thanks to a Three-Year-Old Vulnerability, the FBI Warns

Unlike other entries in the cybersecurity glossary of technical terms, the word 'e-skimmer' is pretty straightforward to explain. Just like a physical card skimmer scrapes banking card details from an ATM, an e-skimmer steals shoppers' financial data from the checkout pages of e-commerce websites. Weirdly, however, cybersecurity professionals rarely use the word 'e-skimmer' nowadays. Most of these attacks are now described with the term 'Magecart,' and that's because, for the last couple of years, most e-skimmers have been installed on online shops built with Magento, an open-source platform for e-commerce websites.

At first, the term "Magecart" was associated with a single group of hackers that was injecting several lines of card-stealing JavaScript code into online stores' checkout pages, but later, the malware became so popular with so many different threat actors, that it slowly became a collective name for all attacks of this type. Quite a few high-profile websites fell victim to Magecart attacks, and in October of last year, none other than the FBI warned online shop administrators about the risks associated with Magecart.

Predictably, not everyone listened, and Magecart didn't disappear overnight. On the contrary, e-commerce websites continue to suffer from Magecart infections, and cybersecurity specialists, as well as law enforcement agencies, continue to try and prevent them. Recently, the FBI issued yet another warning, this time describing a particular attack vector used by Magecart actors.

Hackers use a vulnerable Magento plugin to launch Magecart attacks

In order to inject malicious code into a website, the hackers need to compromise the target's security in some way, and the FBI has apparently noticed a bit of a trend in their actions. According to ZDNet, online shop owners who use an old Magento plugin called Magento Mass Import (or MAGMI) are urged to take the necessary step and improve the security of their website.

In April 2017, security experts discovered a cross-site scripting vulnerability in MAGMI 0.7.22, which lets hackers access files and inject malicious code into the targeted website. The vulnerability is tracked as CVE-2017-7391, and it's apparently still present on many websites. According to the FBI's alert, quite a few recent attacks were facilitated by CVE-2017-7391. Once the hackers inject their code, the malware scrapes unsuspecting buyers' financial information, Base64-encodes it into a JPG file, and sends it to the cybercriminals.

CVE-2017-7391 was fixed a while ago, and updating MAGMI to version 0.7.23 will stop this particular infection vector. In their alert, the feds also included indicators of compromise, which administrators can use to improve the security of their websites. Unfortunately, this might not be quite enough to properly secure a Magento-based online shop.

Online stores still use Magento 1

The problem is bigger than you might think, and to realize why this is the case, we need a bit of a history lesson. Magento was originally developed by a company called Varien, and it was first launched in March 2008. After quite a few delays, Magento 2.0, the latest major release, saw the light of day seven years later, in November 2015.

CVE-2017-7391, the three-year-old vulnerability that prompted the FBI alert, is found in MAGMI, a plugin that only works with Magento 1. In other words, if a website uses MAGMI, it's built on a pretty old platform. What's more, on June 30, 2020, all Magento 1.x versions will reach end-of-life and will stop receiving security updates.

In other words, after they update their MAGMI plugin, administrators who could be affected by this attack should also think about migrating their shops to more modern and more secure platforms.