Get started in 5 minutes!

Sansec Threat Research & News

Sansec specializes in digital skimming. We are often "first at the scene" to investigate high profile breaches and publish regularly about our discovery of new attack vectors.

Is your store’s newsletter being used for phishing?

2023-11-10 Cybercriminals in eCommerce are diversifying their targets, now aiming at entire customer databases instead of just stealing credit cards. A recent incident revealed this trend: a hacked Magento ad...

Malware Persistence via Telegram and GitHub

2023-08-22 Attackers are devising ingenious methods to prolong their skimming activities, aiming for sustained persistence. The usual tactics, techniques, and procedures (TTP) include the creation of disposab...

Postponed Exfiltration Evades Detection

2023-05-09 The domain gtag-analytics.com has recently emerged as a threat, employing various cunning techniques to evade detection and targeting unsuspecting users, but what makes it especially deceptive is i...

Sansec analysis: 12% of online stores leak private backups

2023-02-07 Sansec discovered that one in nine online stores accidentally expose private backups*. This mistake could have dire consequences. Online criminals are actively scanning for these backups, as they ...

Vendors defeat Magento security patch (+ simple check)

2023-01-17 Magento and Adobe Commerce stores around the world have been hammered with Trojan Order attacks this winter. And even if you have patched or installed Adobe’s 2.4.4 release, you may still be vulner...

Fake Klaviyo accounts added to Magento

2022-12-21 Are your Magento admin accounts legitimate? Chances are, that a klaviyo_support_XXXX account was added this week. Best to quickly remove it and read the rest of this article. Magento 2 template hac...

Adobe Commerce merchants to be hit with TrojanOrders this season

2022-11-15 At least seven Magecart groups are injecting TrojanOrders at approximately 38% of Magento and Adobe Commerce websites in November. After a quiet summer, the number of attacks targeting the mail tem...

Extortion of Magento merchants

2022-11-07 Sansec has received reports of criminals trying to extort Magento merchants with the message below. As long as the sender does not produce evidence, they almost certainly did not steal your sensiti...

Surge in Magento 2 template attacks

2022-09-22 The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In ...

Magento vendor Fishpig hacked, backdoors added

2022-09-13 Fishpig, a vendor of popular Magento-Wordpress integrations, has been hacked. Sansec found that attackers have injected malware in Fishpig software and taken control of Fishpig servers. Online stor...

Magento 2 critical vulnerability (CVE-2022-24086 & CVE-2022-24087)

2022-02-14 Update Feb 21st, 2022: Sansec has observed the first actual attacks in the wild. Patch now! Unfortunately, this validates our previous prediction that abuse would start within days. Attacks are com...

NaturalFreshMall: a Vulnerable Magento Extension and a Mass Hack

2022-02-08 An investigative report by Sansec researchers on how one vulnerable Magento extension leads to a mass web store attack, with Magecart attackers using naturalfreshmall.com to hide and serve malware ...

Magento and the Log4j vulnerability

2021-12-13 Updated Dec 20th. This article describes how Magento is affected by the critical log4j vulnerability, and what you can (and should) do to prevent a hack. A critical vulnerability in the popular Log...

NginRAT parasite targets Nginx

2021-12-01 A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. The parasite is used to steal ...

CronRAT malware hides behind February 31st

2021-11-24 In the run-up to Black Friday, Sansec discovered a sophisticated threat that is packed with never-seen stealth techniques. This malware, dubbed "CronRAT", hides in the Linux calendar syst...

New linux_avp malware hits eCommerce sites

2021-11-18 Sansec discovered a new malicious agent "linux_avp" that hides as system process on eCommerce servers. It is being deployed around the world since last week and takes commands from a cont...

Case Study: How eCommerce Hackers Silently Steal Credit Card Data

2021-05-03 The majority of online stores have never been hacked and, as a result, take a somewhat lax approach to cybersecurity. However, no less than 20% of all online stores get hacked every year, which mea...

Google Apps Script used to steal data

2021-02-18 The Google business application platform Apps Script is used to funnel stolen personal data, Sansec learned. Attackers use the reputation of the trusted Google domain script.google.com to evade mal...

Fake payment page before checkout on Shopify and BigCommerce

2020-12-24 A new type of web skimmer was found on a dozen stores hosted on Shopify, BigCommerce, Zen Cart and WooCommerce. Hosted (SaaS) ecommerce platforms like BigCommerce and Shopify do not allow custom J...

eCommerce trojan accidentally leaks victims

2020-12-18 Sansec discovered a clever remote access trojan (RAT) that has been hiding in the alleys of hacked eCommerce servers. Despite the advanced setup, perpetrators mistakenly left a list of victim store...

Persistent parasite in EOL Magento 2

2020-12-02 Over the last months, hackers have quietly added a subtle security flaw to over 50 large online stores, only to exploit them right before Black Friday, Sansec research shows. The flaw's presence wo...

Payment skimmer hides in social media buttons

2020-11-26 Researchers at Sansec have uncovered a novel technique to inject payment skimmers onto checkout pages. This new malware has two parts: a concealed payload and a decoder, of which the latter reads t...

Cardbleed: 3% of Magento install base hacked

2020-09-14 Update Sept 18: Cardbleed has infected 2806 Magento1 stores so far (3% of total install base) Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the largest...

North Korea found skimming US shoppers

2020-07-06 North Korean state sponsored hackers are implicated in the interception of online payments from American and European shoppers, Sansec research shows. Hackers associated with the APT Lazarus/HIDDEN...

Digital skimmer runs entirely on Google, defeats CSP

2020-06-22 A newly discovered skimming campaign runs entirely on Google servers, Sansec research shows. The novel malware sends stolen credit cards directly to Google Analytics, evading security controls like...

Lockdown: Stores closed, online stores hacked

2020-06-15 While an international retail chain closed its physical stores, attackers hacked its online presence, Sansec research shows. Following common Magecart malpractice, payment skimmers were injected an...

Do these two things to keep your Magento 1 store running after June

2020-05-28 Over a 100 thousands Magento 1 stores will be running after Adobe terminates support in June (end-of-life). Many merchants need more time to transition to Magento 2 or another platform. No need to ...

Will Magento 1 stay PCI compliant?

2020-05-08 Magento 1 will no longer receive official updates & security fixes per July 1st, 2020 (the end-of-life, or EOL date). Merchants are urged to upgrade to Magento 2, but for many stores this deadl...

Sansec reveals longest Magecart skimming operation to date [Analysis]

2020-02-25 Sansec, a global leader in eCommerce security, reveals that hackers successfully infiltrated an online printing platform for more than two and a half years. Our research shows that crooks ran keylo...

Sansec partners with Maxcluster

2020-02-20 Utrecht, February 20; Sansec is proud to announce that it has formed a long-term strategic partnership with maxcluster to bring its industry-leading anti-malware technology to the German e-commerce...

Indonesian Magecart hackers arrested

2020-01-25 The Indonesian police announced on Friday that they have arrested three alleged Magecart hackers on December 20th. The suspects are from Jakarta and Yogyakarta and are 23, 26 and 35 years old. Afte...

Payment skimmers have impersonated Sansec

2019-12-02 Payment skimmers are hiding their malpractice by impersonating our Sansec anti-skimming service. They have registered malicious domains sansec.us and sanguinelab.net, even using a fake address in A...

American Cancer Society hit by payment skimmer

2019-10-25 Digital skimming groups (aka Magecart) hit another low, as they successfully targeted the American Cancer Society last night. Our skimmer detectors found a piece of malicious code embedded on the C...

Magento security extentions vendor got hacked

2019-10-07 The store of a US Magento extension vendor was found compromised. Attackers had write access to the server selling extensions. We are awaiting a statement on the integrity of downloaded software. O...

FBI recommends malware scanning against skimming

2019-08-17 The FBI warns small and medium-sized businesses and government agencies against the threat of e-skimming. E-skimming occurs when cyber criminals inject malicious code onto a website. Read the origi...

Sansec at Europol training: 50,000+ stores hacked

2019-08-12 Cementing itself as a global force in the protection against eCommerce fraud, Sansec has been invited to speak at the fifth edition of Europol’s Training Course on Payment Card Fraud Forensic Inves...

PCI-SSC/RHISAC quote Sansec: 20% stores reinfected

2019-08-01 The PCI Security Standards Council and the Retail & Hospitality ISAC alert merchants to the threat of digital skimming. In its report, it quotes Sansec research, which has found that about 20% ...

Critical Magento 2 flaw exploited within 16 hours

2019-05-10 The number of hacked Magento 2 stores spiked in the last four weeks, after a critical security flaw was discovered in March and criminals stole admin passwords within 16 hours. Merchants are advise...

Sports brand Puma infected with advanced malware

2019-04-29 On April 25th, sports brand Puma Australia got infected with the most sophisticated payment skimmer to date. After the NBA Hawks got skimmed last week, this time Puma's Australian customers are can...

57 payment gateways from Germany to Brazil targeted

2019-04-29 Sansec discovered a polymorphic skimmer that works with 57 different payment gateways. It has global reach, affecting payment systems from Germany to Brazil. It is by far the most advanced skimmer ...

Credit cards of Atlanta Hawks fans stolen

2019-04-24 Online credit card thieves - also known as Magecart - have managed to inject a payment skimmer in the online store of the Atlanta Hawks. Fans who ordered merchandize on or after April 20th had the...

Bad extensions now main source of Magento hacks: a solution!

2019-01-29 In October last year I discovered several Magento extension 0days. As it turns out, this was only the tip of the iceberg: today, insecure 3rd party extensions are used to hack into thousands of sto...

Large sites hacked via Adminer database tool

2019-01-20 This week I discovered that large ecommerce and government sites got hacked via the Adminer database tool. As it turns out, the root cause is a protocol flaw in MySQL. Curiously, it is described in...

PHP tool 'Adminer' leaks passwords

2019-01-17 Update 2019-01-20: the root cause is a protocol flaw in MySQL. Adminer is a popular PHP tool to administer MySQL and PostgreSQL databases. However, it can be lured to disclose arbitrary files. Atta...

Competing digital skimmers sabotage each other

2018-11-20 Skimmers found to subtly sabotage each others fraud operations Competition is grim in the online skimming business (aka "MageCart"). The aggressive MagentoCore skimmer was previously obs...

Merchants struggle with MageCart reinfections

2018-11-12 1 in 5 compromised merchants get reinfected, average skimming operation lasts 13 days MageCart, the notorious actors behind massive online card skimming, has been busy. And so have we: our crawlers...

Backdoor found in Webgility

2018-10-30 Update Nov 23rd: Webgility has released a patch and a public statement, urging all customers to upgrade to version 345. Update Nov 30th: Webgility has discovered another security issue and urges ...

Unpublished security flaws (0days) massively exploited

2018-10-23 Online credit card theft has been all over the news: criminals inject hidden card stealers on legitimate checkout pages. But how are they are able to inject anything in the first place? As it turn...

German political party store hacked before election

2018-10-15 The store of German political party CSU (www.csu-shop.de) contains an identity skimmer that was planted on or before Oct 5th, right before the Bavarian election on Oct 14th. Personal identifyable ...

MageCart: now with tripwire

2018-10-04 Back in 2016, Magecart skimmers would evade detection by sleeping if any developer tools were found running. Then, their malware would 404 without correct Referer or User-Agent header. And now, Ma...

ABS-CBN next in series of high profile breaches

2018-09-18 While Filipinos are recovering from typhoon Mangkhut, another misfortune awaits them online. I found their broadcasting giant ABS-CBN − a $740 million conglomerate & top-500 global Internet des...

Is your Google Analytics code malicious?

2018-09-06 Would you - a webdeveloper - get alarmed if you found the following code on your website? Probably not, as Google Analytics is embedded in pretty much every website these days: <script type=&quo...

MagentoCore group hacks 7,339 stores and counting

2018-08-30 A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date. Update 2018-09-07: Because Google Chr...

Hackers breached Magento through helpdesk

2017-12-28 Magento merchants have recently received messages like this: Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! -- [email protected] Upon closer exa...

Cryptojacking found on 2496 online stores

2017-11-07 Does your laptop get hot when visiting your favorite shop? You computer is likely mining cryptocurrencies to the benefit of a cyberthief. Cryptojacking - running crypto mining software in the brow...

Why ordering HTTP headers is important

2017-05-02 If you code against Akamai hosted sites, you could be rejected because your HTTP library sends request headers in the wrong order. In fact, most libraries use undefined order, as the IETF specifica...

Warning: fake Magento patch 9789 contains virus

2017-04-21 Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798. Update Apr 22nd: added reference to Neutrino Bot and POS systems This week a mail was sent out to announce the ne...

A Magento breach analysis: part 1

2017-04-12 Part of a series where Magento security professionals share their case notes, so that we can ultimately distill a set of best practices, tools and workflow. Part of the job of running the MageRepo...

An OpenCart/Magento hacking dashboard

2017-04-07 This post shows how sophisticated Magento hacking operations have become nowadays. While investigating a bruteforced Magento store, we noticed that the hacker logged in using a curious referrer sit...

Self-healing malware restores itself after deletion

2017-02-14 Regular Javascript-based malware is normally injected in the static header or footer HTML definitions in the database. Cleaning these records used to be sufficient to get rid of the malware. But n...

Visbot malware found on 6691 stores [analysis]

2016-12-01 Visbot is one of the oldest Magecart payment skimmers: it steals customer data and credit cards. The first case was documented as early as March 2015. But being publicly discussed did not stop it ...

'Our store is safe because we use https'

2016-10-11 Update Dec 1st: already 2300 stores have been fixed! Thanks to everybody who tirelessly notified and fixed stores. Online card skimming is up 69% since Nov 2015 Multiple groups involved Merchants...

Criminals have rewired 3,500 online stores

2015-11-17 Criminals have secretly rewired 3,500 online stores to continuously harvest credit card numbers. The fraud can be traced back as far as May 12th 2015, so if you have bought something at one of thes...

Hackers get smarter every day.
Outsmart them with eComscan.

eComscan is the automated backend security scanner that keeps your online store safe from attackers. Discover vulnerabilities and malicious activity instantly.
Sansec experts study dozens of hacks every day to keep you protected. Sansec is the only company specializing in Magento security and is a proud Adobe partner.

Scan now