The attack was performed through an automated Magecart campaign and has endangered the private and card information of thousands of customers.
Sansec research, specialized in discovering digital skimming, reported that almost 2000 Magento stores were a victim of a hacking attack that took place last weekend. The attack was performed through an automated Magecart campaign and has endangered the private and card information of thousands of customers. The highest hacking activity went down on Saturday when more than 1050 Magento stores were hacked.
Common Magecart Attack
This automated campaign isn't an unusual occurrence. These malicious attacks are being monitored for more than 5 years now, and this campaign is the largest one so far. Before this attack, the largest one recorded by Sansec was in July 2019, when 962 stores were hacked.
Unfortunately, criminals have been progressively automating their skimming operations to hack as many stores as possible. It is not yet known how many customers had their private and card information stolen, but the estimated number is around tens of thousands of people.
How does a typical Magecart attack work?
Criminals inject a piece of a malicious code that intercepts the payment and private information that store customers entered while purchasing products. Magecart attack is a data skimming scheme that attacks private information using a side browser as an entry point.
- 1. Attackers gain access to your website by breaking the infrastructure of your server and place a skimming code.
- 3. Once criminals have gained access to your website, they scrape the data that they're looking for and send the information back to their server.
Who stands behind Magento attacks?
Magecart isn't a name given to a specific entity or an organization. It represents a category of attacks. When it comes to this particular attack, one thing that the majority of these stores have in common is that they have no prior records of any kind of security incidents. For this reason, many cybersecurity experts believe that this is an attack method that has not been used yet.
The investigation is still ongoing, but there are some campaigns found on the hacking forums that may have a connection to this campaign. According to Sansec, one user offered to sell 10 copies of the exploit method of a "Magento 1 remoted code execution" for $5000. Translated offer from Russian to English:
Photo by: Sansec
After the attackers have used the IP addresses from the United States and OVH SAS to gain access to the Magento admin panel and interact with Magento Connect features. With access to the Magento Connect, they have installed various skimming files.
Some of the files they have installed were:
Check if your Magento 1 store security is intact
To make sure you haven't been a victim of malicious skimming schemes, you can research your server log files for access to the download directory.
In multiple of these stores that were affected by the attack mysql.php file was located in the root directory. Another way to know if you're safe is if you don't have this directory in your store.
Can Magento 1 store owners dodge security attacks?
One thing that has given the attackers a boost to perform this skimming scheme is the fact that Magento 1 branch has stopped being updated, so the vulnerabilities of these stores will be present for a certain amount of time. Preventing such attacks will be demanding and tricky.
There are 3 quick prevention steps that you can take:
1.Remove access to the downloader folder
One of the prevention solutions would be to block the access to the download files and folder from all IP addresses except the ones that you consider safe. However, this doesn't guarantee you'll avoid the attacks.
2.Remove "downloader" directory
In your root directory find the "downloader">directory. You can delete it or rename it.
3.Locate the .htaccess file in the root folder
At the beginning of the file add the next line: RedirectMatch 404 ^/downloader/.*$
Why now is the right time to migrate to Magento 2?
While the steps above can help you prevent attacks in short term circumstances, the preeminent solution is to migrate to Magento 2 platform.
Since hackers are making their skimming processes automatized, it’s a matter of time when they'll find a way to bypass the security gates on Magento 1, and since there won't be future updates of the branch 1, the circumstances work in their favor.
Hiring a Magento 2 Migration agency that can save you from the complicated process of migration can help you increase the security of yours and your customer's private information, but also to save your brand and business reputation. The latest Magento 2 version, Magento 2.4.0, offers a variety of security features, platform, and infrastructure upgrades as well as performance improvements.
Hire Magento Developers to bypass possible migration obstacles
As the store's security and data are the factors that are highly concerning, an experienced migration agency needs to guide your way to a secure and up-to-date store. That way you can invest your time in focusing on new strategies that are business-related to make the best out of your new store. Besides, an experienced Magento company can help you secure your Magento 1 store while the process of the migration is ongoing.
ZenDev has a rich experience in helping clients successfully migrate from Magento 1 to Magento 2.
We have helped merchandisers that operate globally with thousands of products in their stores. Our team of experts can help you identify the best migration solutions for your specific business requirements, as well as make the integration with your ERP, PLM, CRM, and other systems completely automated with your new Magento 2 store.
If you would like to have a free consultation to discover migration possibilities, feel free to contact us! We would like to get to know you and talk about ideas to secure your online store.