Clearsale Blog | Insights on Ecommerce and fraud

What You Need to Know About the MagentoCore Card Skimmer

Written by Sarah Elizabeth | Feb 8, 2019

In the six months ending September 2018, the MagentoCore card skimmer malware has infected more than 7,000 e-commerce sites, with an estimated 50-60 sites still being hijacked daily. And it’s not just big sites that are at risk, either. The malware targets online business of all sizes.

Because this malware is considered to be one of the most effective credit card threats in the e-commerce marketplace today, every online merchant should know how this threat works and how they can protect themselves.

The fact that even small sites are targets is part of what makes this malware so deadly. Sure, it makes sense for fraudsters to hit the multimillion-dollar corporations hard and walk away with high-value wins.  But small online retailers are also at risk right now, and they might even end up with proportionally bigger losses.

This is because these smaller retailers often inaccurately believe they’re too small to be targets and therefore fraudsters won’t waste the time and effort on them. Unfortunately, that’s precisely what makes these small businesses targets: Fraudsters know they have fewer resources to dedicate to hiring robust fraud prevention teams and implementing the latest security features.

How the MagentoCore Card Skimmer Affects Merchants

The attack starts when a cybercriminal gains access to the content management system (CMS) an e-commerce merchant is running on their website. Attackers can also gain access through another computer that’s already infected.

The fraudster then hides the malicious MagentoCore.net JavaScript code in several places within the HTML template, such as the default HTML headers and footers or hidden JavaScript files.

Once the code is inserted and launched, it tests millions of common and default passwords on customers’ accounts, looking to find ones that work. These cybercriminals are patient -- willing to wait months until they hit that right combination and can access a customer’s sensitive personal data.

The cybercriminals can also access this personal information by using the script to record customer keystrokes and payment card data for customers and upload it to the MagentoCore.net server.

In either case, the hackers monetize the stolen card data, selling it on the dark web for up to $30 per card.

How Merchants Can Protect Themselves Against MagentoCore Malware

While the primary targets are currently Magento-run e-commerce stores, the threat may also extend to WooCommerce retailers. And other platforms could be at risk, too.

So while the risk is widespread and ongoing, it doesn’t mean merchants can’t protect themselves.

All merchants – but especially those using either Magento or WooCommerce -- should regularly audit their CMS and check for maliciously inserted code in headers, footers and database fields. However, even if the fraudulent code is detected and removed, that doesn’t mean everything is fine.

Cybercriminals often insert backdoors into infected systems. To safeguard against this, all online retailers should maintain a certified safe copy of their codebase. Once an infection is detected and eliminated, the merchant can then revert back to this previous copy that does not have the backdoor. Merchants should also ensure they’re staying up-to-date on all security patches. They should also run a reputable malware scanner and regularly scan their sites for vulnerabilities and malware.

Partnering with ClearSale, the global leader in e-commerce fraud protection solutions, can help. Our unique combination of machine learning technology and specialized human analysis prevents fraudulent purchases from being accepted. Our solution easily integrates directly with your WooCommerce and Magento stores.

Not sure if our card-not-present (CNP) fraud protection solution is right for you? Read our guide for evaluating CNP solutions and learn why more than 3,000 clients worldwide trust us to deliver a safe, secure buying experience.