Hackers targeted at least 2,806 online storefronts running Magento 1.x, an ecommerce platform, which continued to run until last June.
Called Cardbleed, the perpetrators leverages a feature called “Magento Connect” to download and install the malware, “mysql.php” that gets automatically removed after the skimmer code is added to "prototype.js."
These are JavaScript codes that was inserted to the ecommerce website, mostly on payment pages to capture customers payment information and send the details to a remote server controlled by the attacker and later to be sold by the attackers on Carding Forums.
Carding forums are mostly located on the dark web where cyber criminals sell Payment Information obtained by ATM Skimming, phishing, hacking into payment providers and recently from this kind of attacks.
Magento 1 Exploit For Sale
The Exploit is for sale at 5000 US Dollars on a Hacking Forum which includes the Instruction Video and Exploit Method. The Attacker also said that All Magento 1.x are Vulnerable to the Exploit.
Remote code execution is the ability an attacker has to access someone else's computing device and make changes, no matter where the device is geographically located.
Credits to Sansec
In late October Mage One released a patch to Mitigate the Exploited Vulnerability.