Magento 1 eCommerce Sites Security Vulnerabilities

mage-cart-hacker

Magento 1 eCommerce Sites Security Vulnerabilities

Back in June of this year, Magento 1 had its End of Life (EOL) which had a lot of businesses scrambling to figure out their best options while risking the chance of security vulnerabilities that the Magento 1 EOL opened up.
Whenever security risks are mentioned, it’s something to take seriously.

Thousands of online stores that operate using Magento software experienced a successful cyberattack since summer 2020. Here are some of the news headlines and updates from technology and cybersecurity research companies and publishers:

Update Sept 18: Cardbleed has infected 2806 Magento1 stores so far (3% of total install base).

Over the weekend, almost two thousand Magento 1 stores across the world have been hacked in the largest documented campaign to date. It was a typical Magecart attack: injected malicious code would intercept the payment information of unsuspected store customers. Inspected stores were found running Magento version 1, which was announced End-Of-Life last June. (1)

Over 2800 e-Shops Running Outdated Magento Software Hit by Credit Card Hackers(2)

Magecart Group 12: End of Life Magento Sites Infested with Ants and Cockroaches(3)

What is Magecart?

Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it’s a sophisticated implant built on top of relays, Command and Control services, anonymizers used to steal eCommerce customers’ credit card information. The first stage is typically implemented in Javascript included in a compromised checkout page. It copies data from “input fields” and send them to a relay that collects credit cards coming from a subset of compromised eCommerce sites and forwards them to Command and Control servers.

The term Magecart is not an official group, but rather a label for a set of tactics. The cybercriminals look for ways to exploit ecommerce software to steal credit card numbers and other personal customer information. This is usually done by capturing customer data as it’s entered into web forms for payment.

Unfortunately for those on the Magento platform, according to an October 2020 report by independent cybersecurity company Foregenix (5), 55% of Magento 2 sites are at a high or critical security risk level.

Some common security risks seen on Magento include server attacks, credit card hijacking, website defacement, and botnetting. All of these risks are only compounded now that Magento 1 is no longer supported. The reason? Magento is no longer creating updates or issuing security patches for the product.

Although you might be thinking that switching to Magento 2 (if you haven’t already) seems like the easy fix, it might not be. This option is still a complete replatform which means your themes won’t transfer, your M1 extensions won’t work, and some of your data will have to be migrated manually. M1 and M2 have a different architecture which is why this isn’t a simple upgrade.

Another option is to switch platforms altogether and BigCommerce might be the answer. I know you’re probably thinking you might as well stay with the platform you’re used to, but it might not be the case and you could lose out on a better option during a critical time.

With Magento, they’re an open-source platform that has been increasingly making shifts to appear more like a Software as a Service (SaaS) platform by introducing a cloud offering to give merchants the feel of having a single vendor. BigCommerce is already uniquely positioned as an open SaaS platform for easy use. This allows merchants to achieve customization and integrations that had historically only been possible using an on-premise open-source platform.

BigCommerce

  • With BigCommerce, there’s no installation or integration fees and no downtime with each upgrade.
  • When BigCommerce rolls out and update that enables a new feature, merchants will have access to it immediately and can control when or if they want to enable that new feature.
  • Over 90% of the BigCommerce is exposed via APIs. This, along with pre-built integrations and an open checkout, allow you to adapt the platform to your exact needs.

Magento

  • Keeping up with the security patches AND version updates necessary to have the latest secure version of Magento is time-consuming and labor-intensive.
  • The more customization a merchant makes, the harder their Magento store becomes to maintain.
  • Access to the source code means you have the ability to customize extensively; however, you may be limited by the cost and the complexity introduced.

Make the switch today and get rid of the security headaches with the best ecommerce platform out there; plus, get a 4-month FREE trial to make sure it’s the right choice for you!

References

  1. “Cardbleed: a massive Magento1 hack – Sansec.” 14 Sep. 2020, https://sansec.io/research/cardbleed.
  2. “Over 2800 e-Shops Running Outdated Magento Software Hit ….”, https://thehackernews.com/2020/11/over-2800-e-shops-running-outdated.html.
  3. “Magecart Group 12: End of Life Magento Sites Infested with ….”, https://www.riskiq.com/resources/research/magecart-ant-and-cockroach-skimmer/.
  4. “magecart (Malware Family) – Malpedia”, https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart.
  5. “Magento Website Security Report”, https://f.hubspotusercontent00.net/hubfs/464751/Assets/Report/Foregenix-Magento_Security_Report-20201005.pdf
Igor Nesmyanovich, Ph.D., CISSP
igor@eradium.com

Igor Nesmyanovich, Data Scientist and CEO of Eradium. Igor began his career as a space scientist, and for the more than two decades applied the unique art of science to the emerging digital world. Igor is a Certified Information Systems Security Professional since 2004. Today Igor’s focus is on helping clients to accelerate business growth with technology innovations by solving challenging problems at the intersection of marketing, science, and technology.