Dark Reading on cyber criminals using brute-force password attacks against open source e-commerce system Magento to steal credit card numbers and distribute cryptocurrency mining malware:

He describes the types of compromised websites as ranging from small to midsize organizations that had installed the Magento CMS for e-commerce transactions. Online retail stores appear to have been the mostly heavily affected, followed by healthcare and education websites, Kremez says.

“The actors exploit and monetize their Magento panel accesses in three unique ways depending on [the] sites,” he says.

The favored way is to install JavaScript sniffers on the compromised site for scraping payment card data, which is then later sold on Dark Web stores. If the breached website does not yield payment card data, the attackers resort to uploading cryptocurrency mining tools such as Coinhive.

The third tactic is to use the compromised site to host code — typically a phony Adobe Flash Player update — which, if executed, results in a data-stealing malware tool dubbed AZORult being downloaded on computers belonging to site visitors. AZORult in turn downloads Rarog, a Coinhive cryptocurrency miner on the user’s system.

The attackers have shown a tendency to update the malicious files daily in order to avoid detection by signature-based anti-malware tools, according to Flashpoint.

The Magento sites are initially compromised with a brute-force password attack to gain access to the administrative panel. In many cases it appears the default administrative credentials were never modified, and thus essentially offering free access to the malicious actors.

Overall, this is a fairly sophisticated operation. Not many attack groups have the wherewithal to update their malicious code daily to avoid signature-based detection tools. It takes a fair bit of work to make the changes and deploy them out to the thousand plus compromised Magento sites.