Cybercriminals Use Magento Bug to Steal Payment Information from Online Stores

Threat actors are exploiting a critical vulnerability in Magento to inject a persistent backdoor into e-commerce websites.

The exploit targets CVE-2024-20720 (CVSS score: 9.1), characterized by Adobe as a case of “improper neutralization of special elements” allowing for arbitrary code execution.

Adobe addressed this vulnerability through security updates released on February 13, 2024.

Sansec discovered a “cleverly crafted layout template in the database” being used to automatically inject malicious code and execute arbitrary commands.

The exploit combines the Magento layout parser with the beberlei/assert package to run system commands, according to Sansec.

When /checkout/cart is requested, the injected command, using sed, inserts a backdoor for code execution, delivering a Stripe payment skimmer to steal financial information.

In a related development, the Russian government has charged six individuals for using skimmer malware to steal credit card information since late 2017.

The suspects are Denis Priymachenko, Alexander Aseyev, Alexander Basov, Dmitry Kolpakov, Vladislav Patyuk, and Anton Tolmachev. Recorded Future News reported these arrests, citing court documents.

The hacker group illegally obtained payment card information of almost 160 thousand foreign citizens and sold it through shadow internet sites, as per the Prosecutor General’s Office of the Russian Federation.