Ecommerce sites targeted by Magento payment system hack

Hackers seen using swap files to persist on an ecommerce website

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A creative technique involving so-called swap files is being used to deploy persistentcredit cardskimmers on compromised Magento ecommerce sites, a new report from cybersecurity researchers Sucuri has warned.

“When files are edited directly via SSH the server will create a temporary ‘swap’ version in case the editor crashes, which prevents the entire contents from being lost,” the researchers explained.

“It became evident that the attackers were leveraging a swap file to keep themalwarepresent on the server and evade normal methods of detection.”

Swap files and fake Amazon domains

In order to create the temporary swap version, the attacker first needs access to the Magento site. For this particular instance, it wasn’t known how the threat actors gained access, but it’s safe to assume it was either done via phishing, or through brute-force or credential stuffing attacks.

Furthermore, using swap files was just one of many ways the attackers ensured persistence on the site, the researchers further explained. The data stolen with the skimmer was being sent to a domain named “amazon-analytic[.]com,” registered in February 2024.

“Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection,” the researchers explained. They added that the same domain was seen in other credit card theft attacks, as well.

As a result, the skimmer survived “multiple cleanup attempts,” and was exfiltrating sensitive data such as people’s names, addresses, credit card numbers, and other data needed to use the cards elsewhere.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The name of the compromised website is unknown. We also don’t know how long it was compromised, or how many people have had their data stolen this way. We also don’t know if the data was already used anywhere, either to make fraudulent purchases, or sold on the dark web. Some criminals use stolen credit card data to purchase malicious ad campaigns, which are often seen onGoogle, Facebook, LinkedIn, and other popular sites.

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

Target kicks off its Black Friday sale with deals on TVs, toys, iPads, air fryers and more