With the sustained Magecart attacks targeting Magento CMS, and the outdated version no longer providing security fixes, there is a perfect storm brewing for bad actors to discover and exploit new vulnerabilities that will remain unpatched.
What the end-of-support means for merchants operating on outdated Magento versions
Any stores that continue to run after June 30 2020, must be aware that:
- Merchants will have increased responsibility for maintaining site security, including re-certifying compliance with the Payment Card Industry Data Security Standard (PCI DSS), or face fines or removal of credit card processing ability
- Adobe will not be responding to any further security issues for Magento 1
- No further patches will be issued by Adobe
- Magento 1 extensions will not be available on the Magento Marketplace after July 7, 2020
Read Adobe’s statement on EOS for Magento 1.
Cyber security concerns for e-commerce sites still running on outdated Magento versions
Magento has long been a target for Magecart attacks, which inject card-skimming scripts into checkout pages of vulnerable e-commerce sites and sell records obtained on the black market.
These bad actors typically scan content management systems and e-commerce payment platforms to identify and exploit software flaws.
British Airways, Ticketmaster and Forbes are amongst many large, reputable brands that have fallen victim to Magecart attacks that have compromised hundreds of thousands of payment cards. They were operating outdated versions of the Magento e-commerce platform and were vulnerable to attacks.
From 1 April 2017 until the present day, the “Keeper” Magecart group - consisting of an interconnected network of 64 attacker domains and 73 exfiltration domains - has targeted over 570 e-commerce sites in 55 different countries.
Gemini Advisory released a report on its research into the “Keeper” Magecart group, finding:
- Over 85% of victim sites operated on the Magento CMS
- The group likely generated upwards of US$7 million selling compromised card data, based on Gemini’s discovery of 184,000 compromised cards
- The group has been active for three years, and has grown in both its scale and sophistication over this period
It is therefore critical that e-commerce merchants who continue to use an outdated version of the Magento CMS to act immediately to ensure their site is secure.
So how do you secure your store from Magecart attacks?
Keep on top of updates
Make sure all plugins and themes are updated as soon as released, as updates will often include critical patches to security issues.
Lock down admin access
Administrators of web applications are a hot target. If a hacker is able to gain access to an admin account, it’s bad news. Ensure you have set up Multi Factor Authentication (MFA) for your admin users and enforce unique and strong passwords for those users.
But you can still go further. RedShield has a range of authentication options that can be deployed, including IP restriction, client certificate authentication, additional challenges, and email verification.
Ensure your WAF is correctly configured
Many sites will have a web application firewall (WAF) to protect against obvious malicious traffic. It’s important to ensure your WAF is correctly configured and up to date to help continue to block the obviously bad traffic.
RedShield provides the WAF function and can correctly configure and keep this up-to-date for you.
Only use trusted third-party plugins
Using any third-party plugin will increase the attack surface of your web app, increasing your vulnerability. A third party was to blame for the British Airways breach that compromised 380,000 payment cards.
On top of securing your web application, RedShield will protect any third party plugin you have on your site - ensuring you’re safe from any back door bandits that come knocking.
Get application shielding technology to secure your e-commerce store against Magecart attacks
Having a WAF is a great first step to securing your application, but it’s definitely not enough and doesn’t fix the problem.
A WAF can only block a single request or response - meaning it can only thwart simple injection-type attacks. Applications with complex logic flaws, coupled with ever-advancing attacks, mean that you need a security solution that goes further.
With Magento, the major known vulnerability involves SQL injection and while WAFs can provide some level of protection against this kind of attack, they can still be bypassed easily.
The most effective way to secure your application from Magecart attacks in this case is to fix the vulnerability in the application’s code. However, with no support being offered by Adobe on security issues for Magento 1, how can you then fix the actual vulnerability?
This is where Web Application Shielding – a form of software development – comes in. Web Application Shields can be programmed to transform request or response traffic, detect illegal inputs or outputs, address business logic flaws, and perform many other functional tasks.
Shields are deployed in front of a web application, making the application's vulnerabilities undiscoverable – and removing the risk of exploitation. RedShield has developed custom Web Application Shields to remediate the risk of known Magento vulnerabilities.
Instead of taking your Magento e-commerce store offline, shield it and remove the risk of exploitation.
Stay secure and keep your store online with RedShield
RedShield can provide a tailored security solution to help you:
- Re-certify compliance with the Payment Card Industry Data Security Standard (PCI DSS) - outdated versions of Magento are no longer PCI DDS compliant
- Stay secure and stay online while you migrate your store to Magento 2
- Defend your store from potentially devastating attacks
Amongst numerous information security certifications, as of January 2020, RedShield's core operations and services are certified as compliant to the requirements of PCI DSS v3.2.1, as applicable to a Level 1 Service Provider.