At least 1,000 Magento-Powered Sites Compromised

E-commerce sites running on the Magento platform are being compromised by profit-motivated criminals via brute-force attacks against administrator panels using common and default Magento credentials. So far, at least 1,000 Magento sites have been impacted and infected with malicious scripts designed to steal payment card data or deliver additional malware, according to security researchers at Flashpoint. The compromised sites are being exploited to mine cryptocurrency, log payment card data via card-scraping malware such as AZORult, and to redirect visitors to malicious sites that attempt to install malware onto systems via a fraudulent Adobe Flash update. The majority of the identified compromised sites are associated with the education and healthcare sectors and hosted on servers in the US and Europe. At least 365 sites hosted on servers within New Jersey are running Magento and could potentially become targets of this attack if not secured with unique, lengthy, and complex administrator credentials. The NJCCIC recommends all administrators of Magento-powered sites review the Flashpoint blog for additional information, including indicators of compromise (IoCs) and the associated Yara rule, and follow the recommendations outlined in the Magento Security Best Practices guide to secure their websites against this and other attacks.