Nexcess recently released a report of a Recent Exploit using Fake Magento Extensions was able to skim credit card information from affected Magento websites. While it seems that some of the stores were breached by correctly guessing simple admin usernames and passwords, others seemed to be the result of site administrators installing Magento Extensions that included backdoors that gave the hackers remote access to the website. Once the backdoor was installed, the hackers went on to modify core Magento files, ensuring that when a credit card order was placed, the credit card information would be saved to a text file that was hidden with an image file name extension .jpg, .gif, .bmp and saved in the /media directory, allowing the hackers, and anyone else on the internet to download the credit card information.

There may be many variations of these affected Magento Extensions in the wild, not just the ones mentioned here. Also, before you install any Magento Extension on your website that processes credit card transactions, you should perform a code review on the extension and be on the lookout for any suspicious code changes. Be aware that a quality Magento Extension will never directly modify core Magento files, but will instead override the classes within the extension’s own directory.

The Magento Extention names that are known to be affected include:

  1. Unigry GiftCert

  2. RetailTower Feed_Manager

  3. Unirgy Instaler

Note: Even though Unigry and RetailTower’s names are used on these extensions, they have nothing to do with the exploit. Their names are simply being used as a way to hide malicious code in a real extension’s name.