- Religious conservatives petition Netflix to pull ‘gay Jesus’ Christmas comedy Thursday 7:19 PM
- Kylie Jenner criticized for yet another expensive car post Thursday 5:57 PM
- Apex Legends became a major Pornhub search in 2019 Thursday 5:15 PM
- CBS accidentally interviewed InfoWars host as regular Trump supporter Thursday 4:31 PM
- TLC accused of fatphobia, fetishization with show about ‘mixed-weight’ couples Thursday 3:41 PM
- Betting odds show KSI could fight FaZe Sensei, Jake Paul, or Justin Bieber next Thursday 3:20 PM
- Nick Cannon releases another thirsty Eminem diss track Thursday 2:59 PM
- Dogs at polling stations are helping bark out the vote in the U.K. Thursday 1:00 PM
- Streamers dominated Pornhub searches in 2019 Thursday 12:59 PM
- Pro and anti-boot factions emerge in wake of ‘Wonder Woman 1984’ trailer Thursday 12:31 PM
- The ‘Rise of Skywalker’ press tour has turned into a rehash of ‘The Last Jedi’ Thursday 12:18 PM
- What’s in a TikTok username? Thursday 12:00 PM
- All four of 2020’s Marvel/DC movies are directed by women Thursday 11:57 AM
- Jeremy Corbyn Rickrolls everyone ahead of British election Thursday 10:18 AM
- Trisha Paytas denies accidentally exposing herself on TikTok Thursday 10:04 AM
Magento, an eBay-owed e-commerce system, suffers from zero-day exploit
That collectible coin purse could be full of monsters
Magento is designed for e-commerce purchases and is used by over 200,000 users, many of whom are on eBay, which owns the company.
According to a post on The Hacker News, the authors likely behind the attack are apparently injecting malicious code into the Magento core file or into one of the widely used modules or extensions in order to capture payment data.
This isn’t the first time a vulnerability has made Magento unsafe. In April, a remote code execution flaw gave hackers a way in. The company issued a patch (SUPEE-5344), but the hackers are still at it, creating fake admin accounts to capture users’ data and actively seek those users who have not installed the patch.
Another campaign used “malvertising” to secure the card info of less-than-careful customers.
Now, Sucuri Security’s lead malware researcher, Peter Gramantik, has found “an attack script that pilfers the content of every POST request and identifies valuable payment card data before storing it in an encrypted form that only the attacker can decrypt,” he wrote in a blog post.
Gramantik warned that it is a stealth move and “in the worst cases it won’t become apparent until (the fraudulent charges) appear on your bank statements.”
The stolen information is captured in a fake image file which, if opened by anyone but the thieves, will look like nothing more sinister than a broken image.
Correction: An earlier version of this article misidentified the nature of Magento’s system.
Illustration by Jason Reed
Curt Hopkins has over two decades of experience as a journalist, editorial strategist, and social media manager. His work has been published by Ars Technica, Reuters, Los Angeles Times, and San Francisco Chronicle. He is the also founding director of the Committee to Protect Bloggers, the first organization devoted to global free speech rights for bloggers