There are an estimated 250,000 Magento stores on the web, and each one is a target for criminals. Ecommerce stores are attractive targets because customers trust them with sensitive data, including credit card numbers, email and postal addresses, names, and other data that criminals can sell or exploit.
Ecommerce security is an evolving battleground, and the techniques used by criminals to compromise stores change as store owners and security professionals adapt. In this article, we look at the most pressing risks faced by Magento retailers today.
1. Vulnerable Extensions
Almost without exception, Magento stores rely on code provided by third-party vendors in the form of extensions. The Magento Marketplace requires extensions to pass basic security checks, but vulnerabilities slip through, and many popular extensions are downloaded not from the marketplace but from vendor sites with little external scrutiny.
In 2019, there has been a marked increase in the number of Magento stores compromised because of vulnerable extensions. At the beginning of the year, security researcher Willem de Groot noted that credit card scraper code had been injected into thousands of stores because of vulnerable extensions. The attackers exploit zero-day PHP object injection, SQL injection, and admin cross-site scripting vulnerabilities to gain access to sites and implant code that skims credit card details to send to servers under the attacker’s control.
There are three main contributors to the prevalence of vulnerable extensions: flawed software, a reluctance on the part of extension developers to publicize vulnerabilities, and the unwillingness of store owners to frequently update extensions.
Complex software almost always contains zero-day vulnerabilities, software flaws that developers and store owners are not aware of that can be used to compromise applications. Eventually, the flaws are discovered and fixed by developers. But Magento stores only benefit from the fixes if owners update.
Updates can be disruptive, incompatible, and expensive, and so store owners are reluctant to update even if they know about a vulnerability, which they may not.
No store owner enjoys spending time and money to update Magento and extensions, but the consequences of running outdated extensions are dire.
2. Vulnerabilities in Magento
Earlier this year, Magento released a series of updates that added Progressive Web App functionality and other new features. Unfortunately, a security company discovered a vulnerability in the code and released a proof-of-concept compromise that made it easy for criminals to exploit.
The flaw, named PRODSECBUG-2198, allows attackers to remotely take over vulnerable stores via SQL injection. Magento developers quickly released a patch, but many stores were not updated before attackers built automated scripts that leveraged the vulnerability. Any Magento 2 store that has not been updated to Magento Commerce or Open Source 2.3.1 or 2.2.8 remains vulnerable.
3. Supply Chain Attacks
Credit card numbers are the primary motivation for hacking Magento stores. Attackers collect thousands of numbers to sell on deep and dark web sites to criminal operations that turn the numbers into money, usually by buying goods and selling them on at a deep discount compared to retail prices.
Attacks against Magento stores are mostly automated, but each store has to be individually compromised, something that is not possible if there is no vulnerability. An alternative is to attack vendors that supply code used on hundreds or thousands of stores. Almost every store uses vendor-developed extensions and third-party services. The vendor’s code is implicitly trusted, so if an attacker can inject malware into that code, it will eventually end up on a huge number of stores.
This type of supply chain attack is the favorite technique of the groups that operate under the Magecart rubric. A long list of third-party service providers has been compromised and used to inject credit card skimming malware in 2019.
The list includes advertising agency Adverline, headless content management system CloudCMS, analytics provider Picreel, ad platform AdMaxim, conversion rate optimization service RYVIU, content marketing supplier Growth Funnel, and many more.
It is fruitless to advise Magento store owners to check every line of code provided by every third-party service relied on by their stores. It would be exorbitantly expensive, and many retail organizations don’t have the expertise. However, Magento store owners should use malware scanning tools and security services capable of alerting them when Magecart and similar software appears on their site.
4. Brute Force and Credential Stuffing Attacks
Brute force attacks used to be one of the easiest and most effective ways to break into Magento stores. Before 2016, the risk posed by weak admin passwords was not widely understood by retailers. Magento stores “protected“ by easily guessed passwords were common. In recent years, as the media and security researchers have publicized password best practices, brute force attacks are less likely to succeed.
However, dictionary and credential stuffing attacks remain a risk for Magento stores with common or non-random passwords. Dictionary attacks target Magento admin accounts with repeated login attempts using passwords stolen from previous leaks. There have been so many massive password database leaks that, by analyzing the frequency with which passwords appear, criminals know not just the top ten most used passwords, but the top hundred thousand. Any store with an admin account that uses one of these passwords is vulnerable.
Credential stuffing puts a different spin on the credential guessing game. As the discovery earlier this year of the Collection #1 password dump showed, criminals have access to millions of username or email and password combinations from hundreds of data breaches.
These are real credentials used by real people. And, because people often use the same credentials on multiple sites, there’s a chance that credentials were stolen from one site also grant access to other sites.
Potential mitigations include enforcing passwords that comply with best practices, using two-factor authentication for Magento administrator accounts, and rate-limiting login attempts.
