Magento Hacked Again. Who is at fault?
Last month (November 2022), researchers at Sansec published an article about Magento stores being hacked - Sansec stated that:
“At least seven Magecart groups are injecting TrojanOrders at approximately 38% of Magento websites in November.” - Sansec
But what is Magecart?
Magecart sounds like the name of a generic Magento extension. But in fact, Magecart is a type of cybercrime where transaction data is intercepted during the checkout process. You may have heard of other terms such as “skimming” or “formjacking”. Their attacks can be observed as far back as 2010.
The scary thing about Marcart is that it can be quite simple to do (for those groups who have the expertise). Don’t underestimate the time and resources being put into exploiting your store because this is their entire focus.
The cost of executing an attack is negligible, it’s hard for you (as a store owner) to detect, plus it’s nearly impossible to trace the culprits.
Their method is to add code to your store via unpatched vulnerabilities (more on that later). Once a store is under their control, they can use a keylogger to collect the cardholder’s details. These details are then sold on the dark web.
What is TrojanOrders?
The recent attack being reported by Sansec is called TrojanOrders. Sensec explains that:
“an email is, among others, triggered by placing an order; that is why we call this attack TrojanOrder. Other triggers are “sign up as customer” or “share a wishlist.” A successful probe means the attacker can take over the website.
After gaining access to the website, the first order of business is installing a Remote Access Trojan, giving easy and permanent access to the website, often even after patching or upgrading the system.” - Sansec
Why attack Magento?
Magecart doesn’t just go for Magento stores. They also attack other platforms such as WooCommerce, Prestashop, OpenCart and various others. However, the attacks are more prominent on Magento and WooCommerce for two main reasons. The first being their popularity. The second is how they are often neglected, and therefore not updated in a timely manner (or at all).
eCommerce platforms like Magento Open Source attract business because of their initial low cost to setup an eCommerce store. However, the platform is treated too much like a “plug and play” solution. But you cannot just forget about the software, you have to maintain it. This is why solutions such as Shopify are so popular, because the software is updated for you.
November 2022
Going back to Sansecs report, they show nearly 40% of Magento stores being hit by TrojanOrder attack probes. The thing is, these attacks prey on a known vulnerability in Magento. However, this vulnerability was addressed and patched by Adobe (the owners of Magento) back in February of this year.
You see, when a security vulnerability is found by Adobe, they fix the problem by releasing a patch and they make it public what the vulnerability was and provide the solution. But for one reason or another, Store Owners do not address these announcements.
This neglect is what Magecart relies on. It looks at how to take advantage of old vulnerabilities, and then looks for out-of-date stores to launch an attack. Why invest time and money trying to exploit up-to-date software, when there are plenty of old ones waiting to be taken advantage of.
Who is at fault?
So, who is at fault here? Well, that comes down to the person responsible for maintaining your Magento store. That might be your Developer, Store Owner, Agency or You.
You are far more vulnerable… No, I’ll rephrase that. Your trusting customers are far more vulnerable when you do not keep on top of the latest Magento updates or Security Patches.
Aside from your customers falling victim, your business will face pain. The two biggest financial pains would be
- Paying a fine for every card transaction in a date range that your Payment Provider has determined. So, if you took 10,000 card payments a month and your store was identified as leaking cardholder information over a 3 month period, then you would pay a fine multiplied by 30,000. Even if it was as little as 50 pence per card, that is still a bill of £15,000.
- The second is being blacklisted by a Payment Provider. For example, if VISA believes your negligence led to the cardholder information being leaked, then they have every right to decline all VISA transactions made to your business. As of data from January of this year, that means 58% of your transactions would automatically be declined.
What can you do right now?
Now that you know the facts, I want to wrap this up with a small list of actions that you can take away today. You’ll find links at the end of the article to help.
- Check that your version of Magento is up-to-date. At the time of recording this video, you should be on either
2.4.4-p2or2.4.5-p1. Version2.4.3stopped being supported in November. And Version 2.3 stopped being supported in September. If you are running out of date software, seek to resolve this yourself or via a Magento Support Partner - Screen your developers because they will likely have complete oversight of your source code. You’re always best to go with a reputable Magento Partner than someone approaching you in a forum or a Freelance Marketplace.
- On a similar subject, look into the stores where you purchase your Magento extensions. Do they have a positive reputation that you can verify with confidence? The same goes for copy/pasting free extensions from GitHub. Always be wary and always validate what you’re being told.
There are so many security points to go over, which I’ll cover in a future video. But you’ll probably have your hands full getting everything updated over the coming weeks. Otherwise, sit back, relax and wait for the next update coming in March 2023. This update includes 2.4.6, 2.4.5-p2 and 2.4.4-p3.
References
- What is Magecart?
- Adobe Commerce merchants to be hit with TrojanOrders this season
- https://experienceleague.adobe.com/docs/commerce-operations/release/versions.html
- Software lifecycle policy | Adobe Commerce