MagentoCore Card Skimmer already Infected 7,339+ eCommerce Stores

Sorin Despot

by Sorin Despot

Cybersecurity researcher Willem de Groot has recently uncovered a massive hacking campaign aimed at Magento stores. The threat possibly extends to WooCommerce stores as well.

As I will do my best to show by the end of this article, the main vulnerability exploited by the hackers is the fact that the targeted websites host their own payment pages. iFrame solutions and payment pages that are directly hosted by the payment service provider (PSP) are not affected by this sort of hacking campaign.

Stay Safe with Twispay

The hackers have already infected 7,339 Magento stores in the last six months with a skimmer script, dubbed MagentoCore. It is designed to siphon payment-card data from unsuspecting users who purchased on the infected websites.


"A single group is responsible for inserting skimmers on 7339 individual stores in the last six months. The MagentoCore skimmer is now the most successful to date," de Groot wrote in his blog post.

According to de Groot, "Online skimming – your identity and card are stolen while you shop – has been around for a few years, but no campaign has been so prolific as the skimmer."

The hacking campaign is global and ongoing, and De Groot aproximates that new stores are being hijacked at the alarming pace of 50 to 60 stores per day.

Who Is Getting Infected?

"Their collection server is registered in Moscow, but I couldn’t say anything about their location or nationality, unfortunately," de Groot told ThreatPost late last week.

Furthermore, the MagentoCore script appears to be quite persistent, with average recovery times of "a few weeks. [...] The victim list contains multimillion dollar, publicly traded companies, which suggests the malware operators make a handsome profit."


However, the real victims are eventually the customers, who have their cards and identities stolen.

The Magecart actors are, according to de Groot, the greatest suspects, especially since they pulled off the Ticketmaster heist earlier in the year. "In the last 6 months, the group has turned 7339 individual stores into zombie money machines, to the benefit of their illustrious masters," de Groot eloquently stated.

How Do They Do It?

Magecart hackers are apparently targeting online stores running WooCommerce from WordPress and Magento software, and "the attack vector is, in almost all recent cases, brute-forcing the administrator password."

The hackers are showing incredible patience, automatically trying millions of common passwords until they find the one that works, often over the course of a few months. They lurk in the dark, feeling the walls for that light switch.


The attackers also try to gain unauthorized access from a staff computer that has been previously infected with malware, or by hijacking an authorized session using a vulnerability in the content management system (CMS). They are pretty crafty in finding a breech or a vulnerability, and they will surely exploit it to get access to the back office.

"Once they succeed, an embedded piece of Javascript is added to the HTML template. This script records keystrokes from unsuspecting customers and sends everything in real-time to the server, registered in Moscow," de Groot explained.

"The malware includes a recovery mechanism as well. In case of the Magento software, it adds a backdoor to cron.php. That will periodically download malicious code, and, after running, delete itself, so no traces are left," de Groot concluded.

What to Do?

Willem de Groot, as well as other cybersecurity experts that have been studying the issue agree on the necessary course of action, which is encompassed, basically, by the following four steps:

  1. Find out if you were infected. De Groot suggests his own open-source Magento malware scanner, but there are other useful tools out there.

  2. Change all passwords, review access levels and backend access logs. Close off any and every suspicious entry points.

  3. Remove the skimmer, backdoors and other code and revert to a certified copy of the codebase. Malware is hidden in default HTML headers and footers, but also in minimised, static Javascript files, hidden deep within the codebase. 

  4. Implement secure procedures that cover timely patching, strong staff passwords, etc. 

Most importantly, consider this: since the script acts like a keylogger  it tracks the customer's key strokes on the infected website – the obvious solution is hosting the payment page directly on your payment service provider's server, or using an iFrame, which also redirects the user interaction on the PSP's server.

In Conclusion

Your PSP can help you keep all card-holder data completely out of harm's way. As a PCI-DSS Level 1 Payment Service Provider, Twispay will assist you in minimising your security risks when accepting credit card payments.


Our world-class security protocols entail machine-learning algorithms designed to detect threats, and secure procedures ranging from smart scoring to automatic thresholds and blacklisting. We WILL keep you and your clients safe.

Stay Safe with Twispay

Sorin Despot Sorin Despot