Hackers Go on a Magento Attack Spree Using a Helpdesk Extension

Author Photo
Dec 28, 2017
11Shares
Submit

Cybercriminals are targeting Magento sites running Mirasvit Helpdesk – a popular helpdesk extension. The extension enables site owners to add a “Chat with us” widget on their Magento shops. Mirasvit was vulnerable to security flaws that affect every version of the extension up until version 1.5.2. Security firm WebShield had first published details about these security bugs back in September. While the developers had delivered a prompt fix and released version 1.5.3 in the same month, it appears websites are still using the vulnerable versions.

In a latest report, security researcher Willem de Groot has revealed that hackers are exploiting both these vulnerabilities with a goal to steal payment card data from the affected stores.

kasperskyRelated Kaspersky Announces Stopping All Work with European Cybercrime Initiatives In Response to Potential EU Ban

“This attack is particularly sophisticated, as it is able to bypass many security measures that a merchant might have taken. For example, IP restriction on the backend, strong passwords, 2-Factor-Authentication and using a VPN tunnel will not block this attack.”

The first vulnerability was a cross-site scripting issue (CVE-2017-14321), while the second one enables attackers to upload files to the underlying Magento servers (CVE-2017-14320). Researcher said that attackers can insert additional malicious code in the store’s footer section that would execute on all of the store’s pages, with an intention to collect payment card data from the store’s checkout process.

Attackers first send messages through the Mirasvit Helpdesk widget that included the malicious code carrying the XSS payload and a message for the service representatives. This message would store in the Magento database, however, when the support staff would check it, it would appear as a benign text, something like:

Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – knockers@yahoo.com

While the malicious code wasn’t visible, as soon as it’s viewed, the payload is executed which then starts stealing payment card data.

Mirasvit had fixed the issue back in September. However, the company published another blog post earlier today warning its users of the ongoing attacking spree. The company has advised users to update Helpdesk MX for Magento 1. “If you have an older version please login to your account in our store, download the latest one and update the extension,” the company wrote. “We are notifying all our customers who may have affected version of extension and asking them to upgrade urgently.” The security researcher recommended store owners to “add a CSP header to disallow foreign Javascript execution altogether.”

Submit