Nearly 2,000 online shops running the popular Magento e-commerce platform were hit over the weekend by a Magecart-style cyber attack that experts from Sansec’s Threat Research Team called “the largest documented campaign to date.”

As with any other Magecart campaign, attackers attempted to plant a malicious code onto sites that would intercept the payment information of unsuspected store customers. The researchers said that the majority of compromised sites were running Magento version 1, which reached its EOL (End-Of-Life) in June 30, 2020 and is no longer supported by Adobe.

“The Sansec early breach detection system, which monitors the global e-commerce space for security threats, detected 1904 distinct Magento stores with a unique keylogger (skimmer) on the checkout page. On Friday, 10 stores got infected, then 1058 on Saturday, 603 on Sunday and 233 today,” the researchers wrote in the company’s blog.

The investigation on two compromised servers revealed that attackers used two IP addresses (92.242.62.210 and 91.121.94.121) to interact with Magento admin panel and abused the “Magento Connect” feature in order to download and install various files, including a malware called mysql.php. Attackers then made numerous attempts to install improved versions of the skimmer.

“The //mcdnn.net/122002/assets/js/widget.js serves dynamic content, depending on what page it is being included on. Only when referenced from a checkout page, it will serve the malicious, keystroke logging code. The actual payments are being exfiltrated to a Moscow-hosted site at https://imags.pw/502[.]jsp on the same network as the mcdnn.net domain,” according to Sansec.

The researchers have not been able to identify how attackers managed to compromise sites, but they believe that hackers could have made use of a recent Magento 1 0day exploit that was put up for sale on an underground forum a few weeks ago. The offer included “a Magento 1 “remote code execution” exploit method,” as well as instruction video, for $5000. Allegedly, no prior Magento admin account is required. The seller also pointed out that since Magento 1.x version is End-Of-Life there will be no security patches provided, which “renders this exploit extra damaging to store owners using the legacy platform.”