Content, Breach, Malware

Magento XSS Attacks: Helpdesk Widget Used to Target E-Commerce Shops

Hackers are using a helpdesk widget to launch XSS attacks to take control of the backend of Magento e-commerce websites and infect these sites with card stealer malware, according to Dutch cybersecurity researcher Willem de Groot.

Hungarian security firm WebShield originally released details about the Mirasvit Helpdesk flaw in September. However, the XSS attacks represent the first time that the vulnerability has been exploited in the wild, de Groot noted.

The XSS attacks exploit Mirasvit Helpdesk, which enables websites to show a "Chat with us" widget on Magento shops, according to de Groot. It leverages a seemingly benign message to target Magento shops, de Groot stated, and is capable of bypassing two-factor authentication, strong passwords and other e-commerce merchant security measures.

Helpdesk Malware Attacks: How They Happen

If a helpdesk agent opens a ticket via Mirasvit Helpdesk, the agent will run a malicious code in the browser's background, de Groot said. Malware then is added to the footer of the Magento template, ensuring it is run by all store visitors. The malware next intercepts payment data and sends this information offshore as the customer types it into a payment form.

To combat the XSS attacks, Magento sites should install the latest version of Mirasvit Helpdesk, de Groot recommended. Also, these sites should monitor their stores for modified head/footer template insertions, de Groot noted, and add a CSP header to prevent cybercriminals from executing foreign JavaScript.

Magento is an open-source e-commerce platform that was launched in March 2008. It handles over $100 billion in gross merchandise volume annually, the company indicated.

Hackers Increasingly Target E-Commerce Platforms

Expect cybercriminals to continue to target Magento and other e-commerce platforms in the foreseeable future, according to a study of 2 million security incidents across roughly 3,800 cloud, on-premises and hybrid cloud users conducted by security-as-a-service (SECaaS) company Alert Logic.

The Alert Logic "2017 Cloud Security Report" indicated cyberattacks targeting Joomla accounted for 25 percent of total web application attacks. Also, WordPress attacks accounted for 10 percent of web app attacks, and Magento attacks accounted for 7 percent of these incidents.

Vulnerabilities in ubiquitous third-party web app components, insecure coding practices and increases in exploit automation make content management systems and e-commerce platforms "rich hunting grounds" for hackers, Alert Logic said in a prepared statement. As such, organizations must understand the weakest spots in their network defenses to address such issues, Alert Logic stated.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.