Specialists from the Dutch information security company SanSec have discovered that the hacker group Lazarus…
The investigation revealed that the attackers used a long-known vulnerability in the Quickview plugin to inject new administrator users into Magento-based sites, who could then run code with the highest privileges.
The attack was carried out by adding a validation rule to the customer_eav_attribute table. This forced the host application to create a malicious object, which was then used to create a simple backdoor (api_1.php). The researchers note that the use of validation rules is a smart move, since in this case the payload is embedded on the registration page.
In addition to injecting a web skimmer into sites, hackers could also use the api_1.php backdoor to execute commands, which could lead to a complete compromise of the resource. However, it seems that MageCart attacks are more beneficial for attackers, so this campaign was completely focused on them.
The researchers say that in some cases, hackers have implemented up to 19 backdoors per platform. Probably, the attackers were experimenting, trying to figure out what would work best for their purposes.
Let me remind you that we also wrote that Attackers inbuilt script Magecart to collect bulling information on Forbes subscription website, and also that IS experts discovered a connection between North Korean hackers and MageCart attacks.
Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…
Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…
Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…
Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…
News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…
Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…