Magento e-commerce sites fraught with vulnerabilities

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 04 Dec 2018
Magento-based Web sites are highly vulnerable to hacking, says Foregenix.
Magento-based Web sites are highly vulnerable to hacking, says Foregenix.

The majority of e-commerce Web sites that use the Magento platform are vulnerable to cyber attacks.

Security Web scans and analysis performed on 842 African Web sites that use Magento, the most popular e-commerce platform globally, reveal 88% are at high or critical risk from cyber criminals. The analysis was done by Johannesburg-based global cyber security firm, Foregenix.

It identifies the most significant vulnerability of African SMEs which hackers can exploit as the absence of critical security patches.

Magento is an open source e-commerce platform written in PHP. The software was originally developed by Varien, a US private company headquartered in California, with assistance from volunteers.

Developers can implement the core files and extend its functionality by adding new plug-in modules provided by other developers. Since the first public beta version was released in 2007, Magento Open Source has been developed and customised in order to provide a basic e-commerce platform.

Malware infection

The global analysis, which looked at over 170 000 Web sites in total, also reveals 1.5% of these sites (2 548) are infected with malware.

Out of these infected sites, 1 591 were compromised by credit/debit card stealing malware which is actively harvesting their customers' data for subsequent sale or fraud.

A further 2.3% of all Web sites are vulnerable to Magento Shoplift, a vulnerability which was disclosed and patches made available in January 2015. This allows hackers to completely administer the Web site remotely, steal sensitive data and even order items free of charge through a single exploit command, which is publicly available.

In 2015, it was reported that outdated or unpatched Magento Web stores are susceptible to a cross-site scripting attack, which allows attackers to perform online skimming to steal user credit card information.

In 2017, security company DefenseCode reported that Magento CE Web stores are susceptible to remote code execution attacks, which allow attackers to perform online skimming, steal stored credit card information of future and previous customers, take control of the database, and in some instances even the complete server.

Foregenix CEO Andrew Henwood says: "While the figures for Africa are of great concern, they are roughly in line with our findings for many other regions."

Online retail in SA is due to pass the R14 billion mark in 2018 as e-commerce begins to go mainstream. This is a key finding of the Online Retail in South Africa 2019 study, recently conducted by World Wide Worx with the support of Visa and Platinum Seed.

"The issues highlighted are a truly global problem, which threatens to undermine confidence in e-commerce. Repercussions as a result of compromises are heavy penalties by card providers and these put many smaller traders at risk," Henwood says.

"Magento and other e-commerce platforms release regular software updates in response to vulnerabilities. These security patches, if not used, can leave Web sites highly vulnerable to hacking and loss of sensitive data."

Henwood points out that online businesses often assume Web developers, agencies and hosting providers take care of security.

"Design agencies are great at producing beautiful, transactional Web sites that sell their wares, but their expertise on security issues generally isn't as well-developed. Agencies and their clients need to be aware of e-commerce security issues, as even a single breach can be devastating for a small business.

"Simple precautions can make a real difference to reducing a company's risk from criminals, such as regularly patching, changing default settings on the administration interface and using stronger passwords with multi-factor authentication. Risk can never be entirely eliminated, so companies should also consider investing in a partnership with a cyber security specialist organisation and cyber insurance policy."

User error

Jon Tullett, research manager for IT services, Sub-Saharan Africa at IDC, comments that the root cause of vulnerabilities in Magento sites is user error.

"It's not that Magento is particularly vulnerable, it's that site operators have not patched the software. Vulnerabilities are found in software all the time; site operators have to take responsibility to keep it up to date. When a customer is working with a third-party host, part of what they're paying for - but may not be getting - is an expeditiously patched environment.

"At a minimum, keep all software up to date, stay on top of vulnerability or threat feeds to watch for alerts, make very frequent backups to a different environment, and put instrumentation in place to identify anomalous behaviour."

Graham Croock, director for BDO IT Advisory Services, says the new Magento Phantom malware roots itself deeper into impacted sites and makes system modifications in order to harvest payment card details, as well as other confidential data belonging to both customers and the Web site.

He adds that the compromise does not highlight weaknesses or vulnerabilities in the Magento solution itself, but relates to Magento users unintentionally installing compromised or fake extensions to the Magento framework, which can then leave businesses open to attack.

"The invasive malware is deployed through the use of a malicious file containing compromised or fake Magento extensions. The file is then used by hackers to make unauthorised modifications to the core Magento framework, resulting in stolen data," he notes.

"This new advancement to the malware also includes functionality to automatically alert hackers when new harvest files are created, allowing them to steal even more payment card data from the compromised site."

Croock points out that potential victims need to install and use specialised online cyber security monitoring tools that have functionality capable of detecting the Magento Phantom malware.

"Users are urged to make use of appropriate specialised online security monitoring for Web sites, alerting Web site owners to potential threats and offering unlimited support and guidance from specialist leading data security and forensics teams to assist with the removal of the infectious malware and viruses from client websites."