Many online merchants use Magento, a leading digital commerce platform, to host their online store. Last week, thousands of these merchants found themselves under attack. This massive, automated campaign dubbed “Cardbleed” by Sansec, because of its ability to steal credit card information from online store customers, is the largest of its kind to date.

Using a 0-day exploit that is being sold for a mere $5000 on hacking forums, attackers deployed a weekend attack on websites using Magento 1, injecting a malicious code that intercepts customer payment information. Although Magento 1 was deemed End-of-Life last June, about 95,000 shop owners still use it, which means they are still susceptible to this hack – and their customers’ payment information is at risk. Sansec estimates that tens of thousands of customers had their private data stolen from only one store alone, so we can only imagine how much payment and personal information was stolen out of the almost three thousand stores that were hacked. Web skimming is becoming increasingly popular, with easy-to-purchase exploits being automated for mass campaigns.

If your online store is using Magento 1, we recommend upgrading your Magento version.


The ThreatSTOP team has analyzed this attack and has integrated its indicators of compromise in to our system. If you’re already a ThreatSTOP user, you’re protected against this malware in our TS Originated - Core Threats - IPs and TS Originated - Core Threats - Domains targets.