How Hackers Are Exploiting Online Shops and Servers to Earn Illegal Money

How Hackers Are Exploiting Online Shops and Servers to Earn Illegal Money

Cybercriminals are now turning to online store platforms like Magento and server tools such as Docker to secretly make money. These attackers are not just randomly picking their targets — they are skilled, organized, and always searching for new ways to break into websites and systems that are not properly protected.

One known group of attackers, who have previously targeted websites built with a system called Craft CMS, has now moved on to bigger platforms like Magento (an e-commerce system) and Docker (used for running apps on servers). Their main goal is to make money by hijacking the power of other people's computers and internet connections.

How the Attack Works

These hackers find weak spots in the software used by businesses and developers. One method involves using a bug in a Magento plugin to run dangerous commands through a feature called PHP-FPM. This gives them access to the server.

Once inside, they install a special tool called GSocket. It hides in the system like a normal background process, making it difficult to notice. GSocket allows the attackers to connect to the hacked machine anytime they want, even after reboots.

What’s more troubling is their use of in-memory techniques. Instead of saving files that security tools can detect, they run their malware directly from memory using advanced Linux functions like memfd_create(). This allows them to load additional tools like:

• XMRig – a program used to mine cryptocurrency using the victim’s CPU power.

• IPRoyal Proxyware – software that sells the victim’s internet connection to other people without permission.

To stay hidden, the hackers even modify critical system files like /etc/ld.so.preload to inject rootkits that make their tools invisible. This means even if the crypto miner is found and removed, the proxyware might still be running quietly in the background.

Expanding to Docker and Brute Force Attacks

Besides Magento, the hackers also look for public Docker servers that don’t have security settings in place. They launch new containers inside these servers, downloading and running harmful software.

This malware is written in Go (a powerful programming language), and it does many things:

• Stays active on the system

• Reads and writes files

• Runs hidden programs

• Installs other hacking tools like GSocket and IPRoyal

• Tries to hack more systems by guessing weak SSH passwords

This shows the group’s goal is not just to break into one site but to build a network of infected systems for ongoing income.

What This Means

Businesses running online stores or hosting apps must pay attention. Leaving server settings open or using outdated software is like inviting hackers in. Even platforms widely used by Nigerian tech startups, e-commerce shops, and developers are at risk if they don’t keep their software updated and use strong security measures.

By turning hacked computers into mining machines and internet resellers, these attackers are quietly making money off innocent users — often without anyone knowing for weeks or months.

To stay safe:

• Always update your CMS, plugins, and server tools

• Close unused ports and services

• Monitor for unknown processes or changes to system files

• Use tools that can detect in-memory threats and hidden malware

As attackers continue to grow in skill and boldness, it’s more important than ever to build strong digital defenses — especially if your platform is part of Nigeria’s growing tech and business ecosystem.