back to article Idiot e-tailers falling for fake patch that exploits year-old Magento hole

Malware researcher Denis Sinegubko says attackers are compromising and stealing credit cards from online shops that run on eBay's Magento platform by masquerading as an applied patch for a nasty bug in a bid to hide from admins. The dangerous "shoplift" bug patched last year is a remote code execution hole that turns hackers …

  1. Anonymous Coward
    Anonymous Coward

    Neat

    I like this part: "The malware will harvest customer credentials and credit cards using different components, encrypting the data immediately before it is woven into a realistic-looking jpg."

    I don't quite feel that e-tailers are idiotic here. Social engineering ain't exactly something people are good at detecting even after they've been trained. Repeatedly. Humans are usually inclined by nurture to be cooperative (ignoring nature). I'd say they're being human.

    1. Roq D. Kasba

      Re: Neat

      Inclined to agree with human comment, after all this is why society works and what used car salesmen are trained to abuse.

      Should've patched from the sources etc., but in a world where people click on a line drawing 'get a flatter x or bigger y with one wierd tip' adverts, we know people are gullible.

      The internet used to be like the Wild West, real frontier land, now it's like Vegas.

      1. Rich 11 Silver badge

        Re: Neat

        now it's like Vegas.

        Run by the Mob?

        1. Roq D. Kasba

          Re: Neat

          Gaudy advertising, run by big business on protectionist land-grab models, pleading that the rest of the nations laws do not apply, surveillance and tracking...

        2. allthecoolshortnamesweretaken

          Re: Neat

          Run by the Mob? You wish. Worse. Much worse. Marketing.

  2. gollux

    Securi blog post here on the topic. Ouch

    https://blog.sucuri.net/2016/02/fake-supee-5344-patch-steals-payment-details.html

    @author Magento Core Team <core@magentocommerce.com>

  3. Ru'

    So they offer a patch to infect systems, where the "admins" haven't patched in 12 months? Surely their chance of success is pretty low... (although I guess it doesn't need many hits to be worth doing)

  4. KingStephen

    The most annoying thing about this sort of stuff...

    ..... is that the researchers and the journalists rarely give any info that will be useful to me, to help me avoid having my cc details stolen.

    OK, so there are lots of sites that are vulnerable - how can I tell when I'm shopping online if that applies to the one I'm currently looking at?

    Without that information, this article is useless to me.

    1. Bumpy Cat

      Re: The most annoying thing about this sort of stuff...

      It's hard to usefully give that info. Magento is very popular, so there are tens of thousands of sites that use it. As a result it's not practical to give a list of affected sites, not to mention the possibility of legal threats or action if someone publishes a list of vulnerable sites.

      The usage of Magento is detailed here (linked from the report):

      http://w3techs.com/technologies/details/cm-magento/all/all

      It's also hard for an individual user to determine whether a given site is vulnerable - the w3 analysis site uses a lot of aggregate data:

      http://w3techs.com/faq

    2. coldr3x

      Re: The most annoying thing about this sort of stuff...

      Only websites that prefer to take card details on their page or via iframe, instead of redirecting customers to payment vendor secure page are affected by this hack. And in those scenarios they should be compliant with PCI-DSS. Unless hackers would send you to a fake payment processing page, like pay.poopal.com.

      So watch the URL and use credit card instead of debit for online purchases, as banks resolve fraud issues quicker with money that belongs to them.

  5. TeeCee Gold badge
    Facepalm

    A year old loophole?

    Presumably if they haven't bothered to patch that, they're also vulnerable to this.

    Swiss cheese security.....

    1. Anonymous Coward
      Anonymous Coward

      Re: A year old loophole?

      Umm, there's always 2% that don't get the word?

      I actually think Roq nailed it with the Las Vegas analogy. Many (Hell, almost all) of the scams pulled on those "poor casinos" have direct counterparts in our world.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022