Magento recently confirmed that their e-commerce platform suffered a massive malware attack that impacted about 5,000 Magento Open Source users. According to a Magento spokesperson, the sites were infected with MagentoCore, a malicious payment card data-stealing script designed to uncover simple passwords and compromise Magento websites.
A notorious hacker group is exploiting a long list of zero-day vulnerabilities in popular Magento extensions to inject digital skimming code into e-commerce sites. This attack vector abuses PHP’s unserialize() function to inject their own PHP code into the site.
While such news might sound like big revelations to some e-commerce business owners, the reality is that Magento exploits are fairly common. Given the means hackers and cyber-criminals have access to today, attacking a Magento storefront is actually remarkably simple.
Not your problem? Think again.
These attacks can be prevented, but it’s your responsibility to prevent them.
The issue is that a lot of ecommerce merchants don’t actually realize this. They think that since credit card information is handled by a third party, they’re not responsible for the theft of card data.
However, any attack that is executed via your website (that is part of the card holder’s data environment) is your responsibility – and once that has happened, a loss of brand, revenue, and customer loyalty is just the beginning. In fact, if credit card information is being used for money laundering or any kind of illegal activity, the Secret Service can show up at your doorstep and shut you down.
Anatomy of an attack
Step 1 – Gaining admin access: Hackers and cybercriminals leverage Magento vulnerabilities to gain admin access to a site, either through brute force or a gradual process.
When Magento identifies a vulnerability, they publish it – along with a security patch. The first thing merchants must do in these situations is run the patch, however, many don’t and subsequently fall behind. Hackers, on the other hand, are always keeping up with security patches. They know there’s a good amount of merchants that won’t install the security patch in time, so they track and compile lists of the exploits, and hire booter networks, or botnets, to run targeted probes to identify which sites they can target and to which they can gain admin access.
This is easier than you think. Hackers can easily buy a list of all Magento websites in the world, and hire a botnet, for very little money, to monitor them all for the existence of the published vulnerabilities.
Once hackers gain access to the admin, they can change anything on the site.
Step 2 – Inserting malicious code: Most attackers are not interested in defacing a site – that’s not valuable. They’re interested in stealing credit card information.
Once hackers have admin access, they embed links to a third-party JavaScript in some obscure blocks of your website, like the header or the footer, where it’s unlikely you’ll look for them (unless you’re regularly looking for them).
Browsers load third-party assets all the time. So, when you have third-party links embedded in the HTML you’ve used to build your website, browsers accept these links and follow them because they came from a trusted source – your website!
Once a browser loads an installed JavaScript, the code can then steal data (such as credit card details) from the web browser and send it off to a server elsewhere. One of the techniques to steal data, for example, is storing keystrokes when you type in your credit card information.
This is really the essence of a Magento attack – hackers and cybercriminals just keep finding new ways to do it.
Step 3 – Credit card abuse: After stealing confidential credit card information, cybercriminals can buy products online and have them shipped globally. They can also perform credit card laundering by running hundreds of small purchases using stolen credit card numbers and reselling the “successful” cards to organized crime rings.
Most major attacks in e-commerce target the Magento platform – essentially because they can leverage the false confidence that merchants tend to have. So, how do you prevent these?
4 things to do to make your Magento site significantly more secure
- Whitelist access to your admin: Hackers know what to install to exploit security vulnerabilities, and they want to use admin access to do it. Control access to your admin section by allowing whitelist-only access to a small set of site administrators. Also, frequently monitor and audit who has access to this section.
- Prevent unauthorized PHP execution: After you’ve whitelisted the IPs that have admin access, make sure you have mechanisms and processes to prevent random PHP execution on your site.
- Mitigate malicious bots: Most sophisticated attacks are initiated by malicious bots, and you should be able to prevent them from gaining access to the application infrastructure. Solutions such as Webscale’s Cloud Bot Manager ensure that such bot attacks are identified and blocked, in real-time, using a combination of techniques such as IP reputation-based filtering, user agent based identification, behavioral analysis based on machine learning, anomaly patterns, and browser tests.
- Work with a Security Partner: Security is an arms race. Make sure you have a diligent security partner that applies your security patches on a regular basis – faster than hackers can take advantage of them. Also, ensure this partner has robust cybersecurity capabilities – sophisticated technology and the right people – to provide you with 360-degree security for your web application infrastructure – at the origin and the edge.
Lack of security is a very real problem. If there are 5,000 malware-affected Magento sites, it points to how big the problem is.
Sure, it’s a small part of Magento’s user base, but the bad guys are monitoring the whole Magento universe for exploits. That means your site could be under surveillance today, by hackers looking for a way in.
Every Magento storefront needs a comprehensive security strategy – with advanced technology and the right partner. If you don’t, you’re taking a huge risk. For a free assessment of your online storefront’s security, fill out this form or drop us an email at sales@webscalenetworks.com.
You can also check out the session I presented at Meet Magento New York this year, along with Brent from Wagento, about how we’re helping merchants improve their security ahead of Black Friday. Watch the video here.
