• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

My TechDecisions

  • Best of Tech Decisions
  • Topics
    • Video
    • Audio
    • Mobility
    • Unified Communications
    • IT Infrastructure
    • Network Security
    • Physical Security
    • Facility
    • Compliance
  • RFP Resources
  • Resources
  • Podcasts
  • Project of the Week
  • About Us
    SEARCH
IT Infrastructure, Network Security, News

Sansec Finds Mass Breach Of Stores Running On Magento 1 E-Commerce Platform

Magento 1 e-commerce users are urged to upgrade to the latest Adobe Commerce platform after Sansec discovered a mass breach of over 500 stores.

February 11, 2022 TD Staff Leave a Comment

Malware Symantec Daxin
James Thew/Adobe Stock

Adobe is urging organizations who use the Magento 1 e-commerce platform to upgrade to the latest Adobe Commerce platform. Sansec, an e-commerce malware and detection tool has identified a mass breach of over 500 stores running on the Magento 1 ecommerce platform.

Although Adobe ended support for Magento 1 in June of 2020, many companies are still using it.

Attackers used a combination of SQL injection (SQLi) and PHP Object Injection (POI) to gain control of the Magento store.

According to Sansec, a leak in the Quickview plugin led attackers to run code directly on the server. Attackers abused the customer_eav_attribute

The added validation rule is a result of UNHEX:

Sansec UNHEX Magento Flaw

This POI payload is used to trick the host application into crafting a malicious object. In this case Zend_Memory_Manager and Zend_CodeGenerator_Php_File are used to create a file called api_1.php with a simple backdoor eval($_POST[‘z’]).

Adding the malicious code to the database does not do anything, according to Sansec. However, the cleverness of the attack comes into fruition by using the validation rules for new customers, the attacker can trigger an unserialize by using the Magento sign up page, as illustrated by this request:

45.72.31.112    2022-01-28T15:12:02Z “GET /customer/account/create/ HTTP/1.1”

45.72.31.112    2022-01-28T15:12:08Z “GET /api_1.php HTTP/1.1”

Attackers can now run any PHP code via the API under score one period PHP backdoor.

Threat actors are capable of leaving at least 19 backdoors open on the system. IT admins should eliminate all the open back doors.

Leaving one open means the system will be hit again, warns Sansec.

In a series of Tweets, Sansec detailed how hundreds of stores were hit within a single day.

More than 350 ecommerce stores infected with malware in a single day.

Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.

— Sansec (@sansecio) January 25, 2022

For more information on the attack, including indicators of compromise, read Sansec’s research. 

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!

Tagged With: Adobe, Data Breach, E-Commerce, Magento 1, Malware, PHP object Injection, SQL injection

Related Content:

  • Yealink MeetingBoard Pro Yealink Launches MeetingBoard Pro to Elevate Meeting Equity…
  • Cloud, SASE, Aryaka How the Cloud is Redefining Media Production and…
  • Singlewire Software mass notification interview Singlewire Software on Mass Notification Solutions
  • URI catchbox 1 Catchbox Plus: The Mic Solution That Finally Gave…

Free downloadable guide you may like:

  • Practical Design Guide for Office SpacesPractical Design Guide for Office Spaces

    Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-face time with co-workers. When designing the office spaces — and meeting spaces in particular — enabling that connection between co-workers is crucial. But introducing the right collaboration technology in meeting spaces can […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Latest Downloads

Practical Design Guide for Office Spaces
Practical Design Guide for Office Spaces

Recent Gartner research shows that workers prefer to return to the office for in-person meetings for relevant milestones, as well as for face-to-fa...

New Camera Can Transform Your Live Production Workflow
New Camera System Can Transform Your Live Production Workflow

Sony's HXC-FZ90 studio camera system combines flexibility and exceptional image quality with entry-level pricing.

Creating Great User Experience and Ultimate Flexibility with Clickshare

Working and collaborating in any office environment today should be meaningful, as workers today go to office for very specific reasons. When desig...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales

AV-iQ

Footer

TechDecisions

  • Home
  • Welcome to TechDecisions
  • Contact Us
  • Comment Guidelines
  • RSS Feeds
  • Twitter
  • Facebook
  • Linkedin

Free Technology Guides

FREE Downloadable resources from TechDecisions provide timely insight into the issues that IT, A/V, and Security end-users, managers, and decision makers are facing in commercial, corporate, education, institutional, and other vertical markets

View all Guides
TD Project of the Week

Get your latest project featured on TechDecisions Project of the Week. Submit your work once and it will be eligible for all upcoming weeks.

Enter Today!
Emerald Logo
ABOUTCAREERSAUTHORIZED SERVICE PROVIDERSYour Privacy ChoicesTERMS OF USEPRIVACY POLICY

© 2025 Emerald X, LLC. All rights reserved.