Attackers try to compromise Magento with a fake patch

The vulnerability targeted was patched last year by Magento, but admins may not have updated

Credit: IDGNS

Attackers are still trying to find Magento installations that haven't patched a particularly bad vulnerability, this time trying to deliver malware that has been renamed as a patch.

The bogus patch purports to fix a flaw known as the Shoplift Bug, or SUPEE-5344, wrote Denis Sinegubko, a senior malware researcher with Sucuri.

"While the patch was released February 2015, many sites unfortunately did not update," he wrote. "This gave hackers an opportunity to compromise thousands of Magento powered online stores."

Magento, which eBay sold to investment fund Permira in November, is one of the most popular e-commerce and content management platforms. It's used by companies including Nike, Olympus and Ghirardelli Chocolate.

The Shoplift Bug is a remote code execution vulnerability. If exploited, it can give attackers administrative access to an e-commerce store. At that point, a range of bad outcomes are possible.

Other fraudulent administrator accounts can be create or other malware installed. Sinegubko wrote hackers appended JavaScript to certain files that stripped out payment card information or modified PHP files to collect payment information during processing.

"Regardless of technique employed, the results were the same; customer credit card information was being stolen and siphoned off to the hackers," he wrote.

Even nine months after Magento patched the Shoplift Bug, a rash of new infections was detected that delivered the Neutrino exploit kit. In those instances, compromised Magento sites pulled content from a malicious domain that tried to deliver malware to victims using Neutrino.

The vulnerable Magento versions are CE prior to and EE prior to

Sinegubko recommended that Magento admins ensure they're using the latest version, change passwords, investigate admin accounts and monitor the integrity of Magento's files.

An earlier version of this story misidentified Magento's owner in the fourth paragraph.