by | 28 Oct 2015

Exploit Kit: massive wave of attacks hit Magento shops

According to G DATA SecurityLabs, a new threat to Magento sites was uncovered on October 17th, using an exploit kit on the server side. The infected shops distribute exploit kits to visitors in order to steal payment or login data. Do you want to know more about it? Read this article and discover how dangerous is this massive wave of attack for Magento shops.

Exploit kit attacks hit Magento shops

Thousands of online shops running an outdated version of the Magento eCommerce platform have been infected with malware since 18 October 2015, according to a report by security firm Sucuri. The infected shops distribute exploit kits to visitors in order to steal payment or login data. This is the third largest wave of attacks that G DATA security experts have recorded this year. However, the attacks are still going on.

What is an exploit kit?

Exploit kits are packs containing malicious programs that are mainly used to carry out automated ‘drive-by’ attacks in order to spread malware.


Image from:

When a user visits a manipulated website, as in the current case involving Magento shops, the exploit kit is used to scan the configuration of the PC for security holes in applications. If one or even multiple vulnerabilities are found on the system, a suitable exploit is sent to the client.

These kits are sold on the black market, where prices ranging from several hundred to over a thousand dollars are paid. Nowadays, it is also quite common to rent hosted exploit kits. Because of this, it is a competitive market with lots of players and many different authors.

How to protect your Magento shop from exploit kit?

Magento merchants are advised to follow the best pratices the security of their sites as well as:

  • Check your site with a free scan at for Guruincsite and other malware and security vulnerabilities on their files that could be used in future attacks.
  • Search for and remove any malicious scripts that have been injected into their pages (you can then submit an unblock request to Google using Google Webmaster). Instructions from Magereport on finding and fixing these scripts can be found in this article « How to fix the GuruIncsite infection ».
  • Please review all admin users in your system, including accounts with the username “admin” that could be left over from sample data installations. Remove any accounts which you are not actively using.
  • Implement all available patches ASAP to close any exploitable vulnerability. Here are the list of Magento patches you should apply: Magento Patch List.
  • You might also want to use a cyberecurity solution that protects your site against known and even not yet discovered vulnerabilities: test OZON cybersecurity solution for FREE!