{"id":1250,"date":"2020-09-16T10:49:18","date_gmt":"2020-09-16T10:49:18","guid":{"rendered":"https:\/\/meetanshi.com\/blog\/2020\/09\/16\/magento-1-magecart-attack-september-2020\/"},"modified":"2025-04-16T14:36:57","modified_gmt":"2025-04-16T09:06:57","slug":"magento-1-magecart-attack-september-2020","status":"publish","type":"post","link":"https:\/\/meetanshi.com\/blog\/magento-1-magecart-attack-september-2020\/","title":{"rendered":"Largest-Ever Magecart Campaign &#8211; 2000 Magento Stores Hacked"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Nearly 2000 Magento 1 stores around the globe have been hacked in the largest ever Magecart attack since 2015. The hackers could interrupt the payment information of the store customers by injecting malicious code.<\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">According to the&nbsp;<a href=\"https:\/\/sansec.io\/research\/cardbleed\" target=\"_blank\" rel=\"noreferrer noopener\">Sansec research report<\/a>, almost 2000&nbsp;<a href=\"https:\/\/meetanshi.com\/blog\/magento-2-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">Magento stores\u2019 security<\/a>&nbsp;has been compromised with the Magecart attack. The highlights of this hack are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1904 distinct Magento stores with a unique keylogger on the checkout page.<\/li>\n\n\n\n<li>10 stores attacked on Friday<\/li>\n\n\n\n<li>1058 stores attacked on Saturday<\/li>\n\n\n\n<li>603 stores attacked on Sunday<\/li>\n\n\n\n<li>233 stores attacked on Monday<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">All these stores are identified to be run on the Magento 1 version, the support for which has already been stopped since June 30, 2020, by Adobe. The company no longer offers security patches, though there are the third party like\u00a0<a href=\"https:\/\/mage-one.com\/?affiliate=a8827356b15283530692f11853c540d2\" target=\"_blank\" rel=\"noreferrer noopener\">MageOne<\/a>\u00a0that offers security patches, giving merchants the time required for the\u00a0<a href=\"https:\/\/meetanshi.com\/magento-2-migration-service.html\" target=\"_blank\" rel=\"noreferrer noopener\">Magento 2 migration<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Largest-Ever Magecart Campaign resulting in 2000 Magento stores hacked!<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This automated campaign resulted in compromising approximately 10,000 customers\u2019 sensitive data. The hackers breached the Magento 1 stores and injected malicious code to access the payment card details from the checkout form entered by the customers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The attack uses the \u201cMagento Connect\u201d section, now,&nbsp;marketplace,&nbsp;of Magento, also known as the downloader, to inject JavaScript code into the store that loads malware. Magento Connect is the page where you could install extensions in the store.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/twitter.com\/gwillem\" target=\"_blank\" rel=\"noreferrer noopener\">Willem de Groot<\/a>, founder of Sanguine Security (SanSec) identifies this campaign as the largest ever hack since 2015.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The research also says that this campaign may be related to a recent Magento 1 0day (exploit) that was put up for sale a few weeks ago on a hacking forum. A user identified as \u201cz3r0day\u201d announced selling a Magento 1 \u201cremote code execution\u201d exploit method with an instruction video priced at $5,000. He also stated that no admin rights are necessary to inject this code in the JS file!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Is your Magento 1 store security breached?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check if there has been an attack by searching the server log files for access to the download directory.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It would look like this:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>\/downloader\/index.php?A=connectInstallPackageUpload&amp;maintenance=1&amp;archive_type=0&amp;backup_name=<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, if you have&nbsp;blocked access to the downloader directory in your store or this directory does not exist in your store at all, your store is&nbsp;safe.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In several of the hacked stores a mysql.php file was found in the root directory. Also, search for the files that are not part of the Magento installation and remove them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Do inform your recent customers about this security breach so that they could take the caution to change their passwords and prevent any loss.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What can Magento 1 store owners do to avoid such security attacks?<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open the&nbsp;<code>.htaccess<\/code>&nbsp;file that is located in the root folder of your Magento installation.Add the following line at the beginning<br><code>RedirectMatch 404 ^\/downloader\/.*$<\/code><\/li>\n\n\n\n<li>Remove the complete directory&nbsp;<code>\"downloader\"<\/code>&nbsp;, which is located in your root directory. Or simply rename it.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">To prevent such attacks, you can prevent the access to downloader folder from all IPs except yours. But that\u2019s only prevention, not a guaranteed solution!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The ultimate solution is to\u00a0<a href=\"https:\/\/meetanshi.com\/blog\/select-best-magento-2-migration-agency\/\" target=\"_blank\" rel=\"noreferrer noopener\">select the best Magento 2 migration agency<\/a>\u00a0and migrate your store to Magento 2. It is recommended to\u00a0<a href=\"https:\/\/meetanshi.com\/blog\/reasons-to-hire-certified-magento-developers\/\" target=\"_blank\" rel=\"noreferrer noopener\">hire certified Magento developers<\/a>\u00a0for this task as the store\u2019s security and data are concerned. Avoid any\u00a0<a href=\"https:\/\/meetanshi.com\/blog\/magento-2-migration-mistakes-and-how-to-avoid-them\/\" target=\"_blank\" rel=\"noreferrer noopener\">common Magento migration mistakes<\/a>\u00a0and let the experts handle this task while you can focus on new business strategies and how to make the most out of the latest\u00a0<a href=\"https:\/\/meetanshi.com\/blog\/magento-2-4-8\/\" target=\"_blank\" rel=\"noreferrer noopener\">Magento 2.4.8\u00a0<\/a>version!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, for time being, while you are planning the migration process, there\u2019s an option to secure your Magento 1 stores.&nbsp;<a href=\"https:\/\/meetanshi.com\/blog\/meetanshi-partners-with-mage-one\/\" target=\"_blank\" rel=\"noreferrer noopener\">Meetanshi has partnered with Mage One<\/a>&nbsp;where our customers can avail the sustainable bug bounty program under which get access to the security patches for the store.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Earlier, payments processors like&nbsp;<a href=\"https:\/\/meetanshi.com\/blog\/visa-paypal-urge-merchants-to-migrate-to-magento-2\/\" target=\"_blank\" rel=\"noreferrer noopener\">Visa and PayPal did request the merchants to migrate to Magento 2<\/a>&nbsp;as with the end of life for Magento 1, such security hacks were foreseen.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Better now than never, get the developers to the task and offer a secure shopping platform to the customers!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Security cannot be overlooked as it goes hand in hand with customer experience. And if you fail in it, you are out of business soon.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Therefore, stay secure, stay safe! (Pun intended  )<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Do share the post far and wide via social media and alert the Magento 1 store owners!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thank you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Nearly 2000 Magento 1 stores around the globe have been hacked in the largest ever Magecart attack since 2015. The hackers could interrupt the payment&#8230;<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[34],"tags":[],"class_list":["post-1250","post","type-post","status-publish","format-standard","hentry","category-magento"],"acf":[],"_links":{"self":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/1250","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/comments?post=1250"}],"version-history":[{"count":2,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/1250\/revisions"}],"predecessor-version":[{"id":12279,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/posts\/1250\/revisions\/12279"}],"wp:attachment":[{"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/media?parent=1250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/categories?post=1250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/meetanshi.com\/blog\/wp-json\/wp\/v2\/tags?post=1250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}