Multiple Groups Tear Down E-Commerce Websites with TrojanOrder Attacks

About TrojanOrders attacks

• Attackers typically create an account on the targeted online store's website and place an order that contains malicious template code in the name, VAT, or other fields. 
• In one case, they injected a tempered copy of the genuine file (health_check.php) on the site, containing a PHP backdoor that runs commands sent via POST requests.
• After gaining a foothold on the website, they install a RAT or their own backdoor to establish permanent access and then perform other nefarious activities.

A tug-of-war among hackers

• Some attackers scan for the presence of a malicious file upon compromise to determine if another hacker already infected the site and if so, they replace the file with their own backdoor.
• At least seven Magecart groups are working behind these attacks and fighting each other over the control of an infected site.

The motivations behind the attacks

• Although Adobe fixed the exploited vulnerability in February, PoC exploits are available for a long time and researchers claim at least a third of all Magento and Adobe Commerce stores have not been patched so far.
• Another reason behind the TrojanOrders attacks is the availability of several low-cost exploit kits on hacking forums for as low as $2,500 or 0.15 BTC.
• Moreover, as the holiday season is approaching, organizations are occupied in preparations for a shopping spree by consumers, which stands as a huge motivation for attackers to target e-commerce websites.

Security tips