Supply-chain attack lies dormant for six years before striking hundreds of e-commerce sites

Facepalm: Supply chain attacks can remain dormant for extended periods before striking their target, but they typically don't take years to achieve their objectives. However, a recently uncovered attack managed to stay undetected for a record-breaking length of time. At least three vendors of e-commerce software tools were compromised in a coordinated supply chain attack dating back at least six years. According to security firm Sansec, the unknown attackers injected a dangerous backdoor into the vendors' products, only taking control of third-party e-commerce servers a few days ago. The backdoor ultimately infected hundreds of e-commerce websites, with Sansec estimating between 500 and 1,000 total victims. The affected sites include both small businesses and large enterprises – including one $40 billion multinational corporation that Sansec declined to identify. The compromised vendors offer extensions for Magento, the open-source e-commerce platform acquired by Adobe several years ... Read full article.