Hackers are actively targeting Magento sites running a popular helpdesk extension, Dutch security researcher Willem de Groot has discovered.

The avenue for these attacks is a Magento extension named Mirasvit Helpdesk, which allows sites to show a “Chat with us” widget on Magento shops.

In September 2017, Hungarian security firm WebShield published details about two vulnerabilities affecting the Mirasvit Helpdesk extension.

Experts warned that all versions of the Mirasvit Helpdesk extension released up to that point (until version 1.5.2) were vulnerable to these two flaws.

The first allowed attackers to upload files to the underlying Magento servers (CVE-2017-14320), while the second was a banal cross-site scripting (XSS) issue (CVE-2017-14321).

Chat widget used to infect stores with card stealer malware

Today, de Groot published the findings of his investigation of a hacked Magento store, and the security expert claims that hackers used the second flaw to breach Magento sites.

According to de Groot, attackers sent benign messages through the Mirasvit Helpdesk widget. The attacker entered malicious code containing the XSS payload in the chat window displayed on Magento stores, and the message was stored in the Magento database.

When support staff checked the recent messages in the store’s backend, the malicious message was displayed as a benign text that read something like:

Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – [email protected]

The malicious code was not visible, but in reality, at the moment the store owner viewed this message, the…