Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Old Magento Plugin Vulnerability Being Exploited

According to information released by ZDNet, a three-year-old Magento plugin vulnerability is being taken advantage of in order to record and steal payment card details. To carry out these e-skimming attacks, hackers are exploiting the cross-site scripting (XSS) bug CVE-2017-7391 that lies in the Magento Mass Import (MAGMI) plugin. After gaining access to the target site, the actors will dismantle the PHP and JavaScript to allow for their malicious code to be inserted and begin stealing payment details. After details have been collected, they’re converted to Base64 format, stored in JPEG files, and sent to the hacker’s server.

Analyst Notes

The ZDNet article cited information about threat actor infrastructure allegedly obtained from an FBI alert which was not authorized for public release. That information will not be repeated by Binary Defense, but we advise all operators of Magento Mass Import plugin to update immediately. The vulnerable version of the MAGMI plugin only works on Magento stores running the 1.X branch which is set to reach End-Of-Life (EOL) on June 30th, 2020. If possible, store owners should upgrade to version 2.X which will still receive updates. Upgrading MAGMI to version 0.7.23 will also fix the XSS vulnerability that gives attackers access to the store in the first place.