More than 2,000 Magento online stores have been hacked over the weekend in what security researchers have described as the “largest campaign ever.”

The attacks were a typical Magecart scheme where hackers breached sites and then planted malicious scripts inside the stores’ source code, code that logged payment card details that shoppers entered inside checkout forms.

“On Friday, 10 stores got infected, then 1,058 on Saturday, 603 on Sunday and 233 today,” said Willem de Groot, founder of Sanguine Security (SanSec), a Dutch cyber-security firm specialized in tracking Magecart attacks.

“This automated campaign is by far the largest one that Sansec has identified since it started monitoring in 2015,” de Groot added. “The previous record was 962 hacked stores in a single day in July last year.”

Most stores were running an EOL version

The SanSec exec said that most of the compromised sites were running version 1.x of the Magento online store software.

This Magento version reached end-of-life (EOL) on June 30, 2020, and is currently not receiving security updates anymore.

Ironically, attacks against sites running the now-deprecated Magento 1.x software were anticipated since last year when Adobe — which owns Magento — issued the first alert in November 2019 about store owners needing to update to the 2.x branch.

Adobe’s initial warning about impending attacks on Magento 1.x stores was later echoed in similar security advisories issued by Mastercard and Visa over the spring.

In our coverage of the Mastercard and Visa alerts, several experts in the web security community told this reporter that new Magento 1.x vulnerabilities hadn’t been spotted in a while, which was uncharacteristic, as the 1.x branch was old and was riddled with security holes.

At the time, those security experts believed that hackers were intentionally sitting on their Magento 1.x exploits and waiting for the EOL to come around, to make sure Adobe wouldn’t patch their bugs.

It seems those experts were right.

While de Groot hasn’t yet identified how hackers broke into the sites that have been targeted over the weekend, the SanSec founder said that ads for a Magento 1.x zero-day vulnerability had been posted on underground hacking forums last month, confirming that hackers had waited for the EOL to come around.

In the ad, a user going by the name of z3r0day offered to sell a remote code execution (RCE) exploit for $5,000, an offer that was deemed credible at the time.

The good news is that since November 2019, when Adobe started urging Magento owners to migrate to the newer branch, the number of Magento 1.x stores has gone down from 240,000 to 110,000 in June 2020, and to 95,000 today.

The pace is slow, but it’s believed that many of the stores that haven’t been updated are most likely abandoned and have very low user traffic. Nonetheless, some high-trafficked sites are still running the 1.x branch and relying on web application firewalls (WAFs) to stop attacks.

That’s a risky strategy that, while it may be PCI compliant, may not be a smart decision in the long run.

In related news, Adobe also announced last week that it partnered with SanSec to integrate the security firm’s database of more than 9,000 Magento malware signatures into the Magento backend, as part of the Security Scan tool.