Urgent Action Needed to Protect E-Commerce Sites From E-Skimming Attacks Targeting Magento Vulnerabilities
As at 30 June 2020, Magento is no longer providing support for security software updates and security patches for its popular Commerce 1 and Open Source CMS platforms (formerly Enterprise and Community Editions). Over 100,000 e-commerce sites continue to operate the outdated versions and remain wide open to attacks.
With the sustained Magecart attacks targeting Magento CMS, and the outdated version no longer providing security fixes, there is a perfect storm brewing for bad actors to discover and exploit new vulnerabilities that will remain unpatched.
What the end-of-support means for merchants operating on outdated Magento versions
Any stores that continue to run on outdated versions after June 30 2020, must be aware that:
- merchants will have increased responsibility for maintaining site security, including re-certifying compliance with the Payment Card Industry Data Security Standard (PCI DSS), or face fines or removal of credit card processing ability;
- Adobe will not be responding to any further security issues for Magento 1;
- no further patches will be issued by Adobe; and
- Magento 1 extensions will not be available on the Magento Marketplace after July 7, 2020
Read Adobe’s statement on EOS for Magento 1.
Cybersecurity concerns for e-commerce sites still running on outdated Magento versions
Magento has long been a target for Magecart attacks, which inject card-skimming scripts onto checkout pages of vulnerable e-commerce sites and sell records obtained on the black market.
These bad actors typically scan content management systems and e-commerce payment platforms to identify and exploit software flaws.
British Airways, Ticketmaster, and Forbes are amongst many large, reputable brands that have fallen victim to Magecart attacks that have compromised hundreds of thousands of payment cards. They were operating outdated versions of the Magento e-commerce platform and were vulnerable to attacks.
From 1 April 2017 until the present day, the “Keeper” Magecart group – consisting of an interconnected network of 64 attacker domains and 73 exfiltration domains – has targeted over 570 e-commerce sites in 55 different countries.
Gemini Advisory released a report on its research into the “Keeper” Magecart group, finding:
- over 85% of victim sites operated on the Magento CMS;
- the group likely generated upwards of US$7 million selling compromised card data, based on Gemini’s discovery of 184,000 compromised cards; and
- the group has been active for three years, and has grown in both its scale and sophistication over this period
It is therefore critical that e-commerce merchants who continue to use an outdated version of the Magento CMS to act immediately to ensure their site is secure.
So how do you secure your store from Magecart attacks?
Keep on top of updates
Make sure all plugins and themes are updated as soon as released, as updates will often include critical patches to security issues.
Lock down admin access
Administrators of web applications are a hot target. If a hacker is able to gain access to an admin account, it’s bad news. Ensure you have set up Multi Factor Authentication (MFA) for your admin users and enforce unique & strong passwords for those users.
But you can still go further. RedShield has a range of authentication options that can be deployed, including IP restriction, client certificate authentication, additional challenges, and email verification.
Ensure your WAF is correctly configured
Many sites will have a web application firewall (WAF) to protect against obvious malicious traffic. It’s important to ensure your WAF is correctly configured and up to date to help continue to block the obviously bad traffic.
RedShield provides the WAF function and can correctly configure and keep this up-to-date for you.
Only use trusted third party plugins
Using any third party plugin will increase the attack surface of your web app, increasing your vulnerability. A third party was to blame for the British Airways breach that compromised 380,000 payment cards.
On top of securing your web application, RedShield will protect any third party plugin you have on your site – ensuring you’re safe from any back door bandits that come knocking.
Get application shielding technology to secure your e-commerce store against Magecart attacks
Having a WAF is a great first step to securing your application, but it’s definitely not enough and doesn’t fix the problem.
A WAF can only block a single request or response – meaning it can only thwart simple injection-type attacks. Applications with complex logic flaws, coupled with ever-advancing attacks, mean that you need a security solution that goes further.
With Magento, the major known vulnerability involves SQL injection and while WAFs can provide some level of protection against this kind of attack, they can still be bypassed easily. The most effective way to secure your application from Magecart attacks, in this case, is to fix the vulnerability in the application’s code. However, with no support being offered by Adobe on security issues for outdated Magento versions, how can you then fix the actual vulnerability?
This is where shielding comes in. ‘Shields’ are actually custom code objects, designed to fix vulnerabilities at the proxy layer, ensuring attacks are harmless before they reach your application. Outgoing response traffic is also be shielded at the proxy layer, to improve cookie hygiene, prevent session hijacking, and URLs are rewritten to prevent data disclosure.
This means you can shield the known vulnerability virtually, removing any risk, without having to touch a single line of the original application’s code. And this can be done for old, legacy and new applications, APIs – all sorts.
RedShield can develop custom shields to remediate the risk of these Magento vulnerabilities. So instead of taking your e-commerce store offline, shield it, and totally remove any opportunity for Magento vulnerability attackers to exploit.
Stay secure and keep your store online with RedShield
RedShield can provide a tailored security solution to help you:
- re-certify compliance with the Payment Card Industry Data Security Standard (PCI DSS) – outdated versions of Magento are no longer PCI DSS compliant;
- stay secure and stay online while you migrate your store to Magento 2; and
- defend your store from potentially devastating attacks.
Amongst numerous information security certifications, as of January 2020, RedShield’s core operations and services are certified as compliant to the requirements of PCI DSS v3.2.1, as applicable to a Level 1 Service Provider.
Book a discovery call with a RedShield Solution Architect to find out more and get a free test drive of the shielding technology.