Magento Security: Hackers Exploiting Old Plugin Vulnerabilities

FBI has recently released news regarding e-skimming attacks, also known as web skimming. Alongwith with that RiskIQ warned about Magecart attacks. These Magecart attacks are somewhere affecting Magento where hackers are exploiting a three-year-old vulnerability in a Magento plugin to hack online stores and place a malicious script that records and steals buyers’ payment card data. To carry out these e-skimming intrusions, hackers are exploiting the cross-site scripting (XSS) that lies in the Magento Mass Import (MAGMI) plugin. 

After gaining access to the target site, the hackers will dismantle the PHP and JavaScript to allow for their malicious code to be inserted and begin stealing payment information. Once the information has been collected, they transform it into the Base64 format, store it in JPEG files, and send it to the hacker’s server. Lack of origin authentication in the CardGate Payments plugin made it possible for a hacker to change plugin settings, such as the merchant ID or secret key, in order to hijack the payment process. 

Common Security Risks Seen on Magento 

Open-source platform Magento can be vulnerable to a few security issues. Open-source software has an open development process, giving merchants the ability to edit their own source code. This advantage provides flexibility and a great opportunity for customization. 

For some businesses, the customization and in-house control of open source are attractive — but they must be prepared for the greater risks associated with it. Here are some of the biggest security risks typically seen on Magento e-commerce sites.

1. Server attacks 

If your e-commerce site is hosted on a server under your control, then be prepared to protect it from distributed denial of service attacks. Also known as DDoS(Denial-of-service attack), these attacks purposely overwhelm the server with traffic, interrupting service on your eCommerce site.

Recommended Security Patches: Consider launching the site over HTTPS. This will securely encrypt your website as well as make it eligible for higher Google rankings. On the other hand for an existing website, upgrade the site to run on HTTPS.

2. Website Damage

Malicious users just want to wreak havoc. Website damage includes homepage vandalized or various files across your site being deleted. 

In October 2019, Magento issued a security patch for a vulnerability in Magento eCommerce for remote code execution, the way hackers get in to deface your site. And, the third-party apps and integrations can also introduce these kinds of vulnerabilities.

Recommended Security Patches: Ensuring that the Magento 2 security measures- 

• To ensure a secure server operating system, make sure there is no unnecessary software running on the server.
• Disable FTP and make use of only a secure communications protocol (SSH/SFTP/HTTPS) to manage files.
• In case you are using a server different from the Apache web server, ensure that all system files and directories are protected. 
• Ensure that only Whitelisted IP addresses are allowed to access the admin panel. Implement two-factor authentication for Admin logins. This provides additional security by requiring an additional passcode that is generated on your phone. Moreover, strictly restrain from using simple text passwords which can be easily guessed by a hacker.
• Secure the computer you use to access the Magento Admin Dashboard. Regularly update your antivirus software and use a malware scanner.

3. Credit Card Data Theft

Credit card hijacking, also called card skimming or silent card capture, happens when hackers exploit a vulnerability that allows them to tap into payment data coming through your shopping cart. 

This kind of cyber attack happens by exploiting known software vulnerabilities to inject malicious JavaScript code into online checkout software systems. It has a relatively low barrier to entry, making credit card skimming a common form of a cyber attack on Magento eCommerce websites. 

One of the biggest threats is that it can go undetected for a long period of time, compromising sensitive personal and payment information. Losing your customers’ personal information and putting them at risk of identity theft is one of the fastest ways to lose trust, deterring customer acquisition, and loyalty. 

Recommended Security Patches: Update your Magento version-

• Make sure you’re using the latest version of Magento. This entitles your installation to the most recent security enhancements. If not, make sure to install all security patches as recommended by Magento.
• Use a custom Admin URL which is unique and cannot be easily guessed. This could reduce exposure to scripts that might try to break in through your Admin URL.
• Use a strong password for the Magento Administrator account. This will make password guessing attacks difficult.
• Make use of IP whitelisting and .htaccess password protection to block access to any development, staging, or testing systems. Such systems are vulnerable to data leaks on compromise.
• Adhere to Magento’s security-related configuration settings for Admin Security, Password Options, and CAPTCHA

 4. Botnet

The purpose of botnets is to perform normal tasks automatically and quickly than humans or groups of humans could dream of. The most common use for bots, “crawling,” is not actually malicious; this is how search engines like Google recognize your website existence and what it contains. 

But in some cases, they can be used to add your machine to their web of connected devices, putting it under someone else’s control. At that point of time, the botnet can be used to carry out malicious activity — for example, sending spam emails from your address to millions of internet users. Not only will that reduce recipients’ trust in your brand but also reduce your emails’ deliverability in the future if your server is blacklisted by spam filters.

Recommended Security Patches: Create a Disaster Recovery Plan-

• Periodically review server logs for any suspicious activity. If need be, implement an Intrusion Detection System (IDS) on your network.
• Check if any unauthorized admin users have been created. You can monitor any suspicious activity, in the Admin Actions Log.
• Check the data integrity of files on the server. This can unearth any potential malware installation.
• Monitor all system logins (FTP, SFTP, SSH) for unexpected activity, uploads, or commands.

Sunsetting Magento 1

On June 30, 2020, Magento 1.X — a series of versions of Magento — was officially faced with a sunset. While that doesn’t mean your store disappeared from the internet at all, it has introduced a whole host of significant challenges: 

Without security patches, you’re at risk of a data breach if new vulnerabilities are discovered.

You could lose compatibility with third-party integrations, leading to instability and inconsistent website performance.

Lack of improvements to core features means you run the risk of falling behind your competitors. Without these “quality of life” fixes, the performance of your site over time will likely suffer slower speeds, visual bugs, and layout, according to this Magento developer agency.

What makes Magento Store Vulnerable?

Delay in M2 migration or not updating your store may put your store and your customers’ credit card data at risk. Magento Maintenance and migration are essential, especially for Magento 1 store owners and merchants. Magento has announced End of Life (EOL) for all the Magento 1 versions, i.e., no security patch or support updates after June 30th, 2020.

Website Left without Updates

The FBI flash alert contains indicators of compromise (IOCs) that Magento operators can deploy inside their web application firewalls (WAFs) to prevent their websites against attacks. 

Updating to MAGMI 0.7.23 is also recommended, as this fixes the XSS bug that grants hackers initial access to the online stores.

However, the MAGMI plugin only works for older versions of Magento online stores, the 1.x branch, which is set to reach end-of-life on June 30, 2020.

Ideally, store owners should be updating their entire online shops — not just the MAGMI plugin — to version 2.x, which will continue to receive security updates going forward.

Security Tips

Users running their e-commerce website on Magento should keep updating their web-platform along with all the plugins and at a regular interval. Using a strong password, and updating it regularly can prevent brute-force attacks. Regular inspection of the website for malicious code or unauthorized access can help fill in the gaps.