In today's digital age, ecommerce enterprises are thriving, offering convenience and worldwide accessibility to customers. However, as their growth persists, so does the increased susceptibility to cyber threats. Adobe Commerce and Magento Open Source / Community stand out as the foremost ecommerce platforms, and consequently, they face a substantial proportion of cyber-attacks. Any such attack results in substantial disruptions to regular operations, potentially leading to data breaches, damage to their reputation, and the possibility of legal consequences, greatly impacting the website owners.
In this blog post, we will focus on Adobe Commerce / Magento Community platforms.
There are many ways an ecommerce platform can be targeted for exploitation. Some of the most common are:
Cross-Site Scripting (XSS) is a type of cyberattack that involves injecting malicious scripts (usually written in JavaScript) into web pages viewed by other users. It occurs when a web application allows untrusted data to be included in a web page that is then served to other users. XSS attacks can have serious consequences, including data theft, session hijacking, and the delivery of malware to users. Around 40% of the attacks are of this type.
After XSS attacks, code executions are the next most common attacks on Magento store with a 24% share said CVE Details. Through this attack, anyone can execute malicious codes on a Magento server. In an RCE attack, the attacker typically exploits a vulnerability in the target software to gain unauthorized access and control over the system. This type of attack can have severe consequences and is considered one of the most critical and dangerous security threats.
Cross-Site Request Forgery (CSRF) attacks are the next most common attacks on Magento stores. Here, what hackers do is trick a user into making an unwanted or malicious request to a web application on which the user has an active session. CSRF attacks take advantage of the trust that a web application has in an authenticated user's browser. Missing CSRF token on either of the POST and GET requests, makes it an easy task for hackers to bypass security protocols by sending requests and exploiting them.
CSRF attacks can result in a wide range of consequences, such as changing account settings, unauthorized financial transactions, data modification or deletion, and more.
In a SQL Injection attack the attacker manipulates the application's input data to inject malicious SQL (Structured Query Language) code into the application's database. This code is then executed by the database, potentially giving the attacker unauthorized access to, or control over, the database and the data it contains. SQL Injection attacks are a common and serious security threat, particularly in web applications that don't properly validate or sanitize user inputs.
Brute Force Attacks are a type of cyberattack in which an attacker attempts to gain access to a system or an account by systematically trying all possible combinations of usernames and passwords until the correct one is discovered. To make it quick, those tools may use dictionaries of common passwords to get easy access to your website Brute force attacks are simple yet time-consuming methods of cracking passwords or gaining unauthorized access to secure systems, and they are often used when other, more sophisticated methods fail.
As per the name, attackers here try to steal the information of payment cards being covertly used on your website. The attackers install malware so that payment details will be recorded on the attacker’s server or on the local server. If recorded on local server, this information is retrieved periodically. This kind of attack is hard to detect and can go undetected for a long time.
By the time it can be discovered, the attackers may have already caused considerable damage to your brand image and website.
Carding attacks use stolen credit cards and personal information to place orders on websites to filter valid ones. Here the website is used as a tool to validate stolen credit cards (successful placement of order), which are used in other places. Our website becomes an un-willing participant in perpetration of the crime.
Here hackers insert malicious code that redirects visitors to phishing or malware sites. They lure visitors to malicious redirects through spam emails. Redirecting a user to a page with the intention of displaying content other than that which the search engine crawler can access is against Google’s guidelines for webmasters. It is marked by dire consequences for ecommerce businesses such as loss of SEO ranking, loss of customer trust and damaged reputation.
An XML External Entity (XXE) attack (sometimes called an XXE injection attack) is a type of attack that abuses a widely available but rarely used feature of XML parsers. Using XXE, an attacker can cause Denial of Service (DoS) as well as access local and remote content and services. XXE can be used to perform Server Side Request Forgery (SSRF) inducing the web application to make requests to other applications. In some cases, XXE may even enable port scanning and lead to remote code execution.
Insecure deserialization is a security vulnerability that occurs in web applications and software when they improperly handle or trust data that is being deserialized from an untrusted source. Deserialization is the process of converting data, often in the form of serialized objects, back into its original form or data structure. This vulnerability can lead to various security issues, including remote code execution and unauthorized access to sensitive data. Insecure deserialization occurs when an application implicitly trusts the serialized data without proper validation. Attackers can manipulate the data being deserialized, introducing malicious code or data.
Insecure deserialization is a critical security issue that can have severe consequences, and it's important to implement security best practices to prevent and mitigate this vulnerability.
The following are some of the tell-tale signs that the site has been hacked.
Now that we are sure that the site has been hacked, what is the next action item. Since we do not know how the hack happened at the outset, the following is the list of things we need to perform. While there are many online tools that can help us, it is best to reach out for a Magento Expert. This need of the hour is to fix the hack and get back to normal business.
We need to change credentials for all admin accounts and other accounts that are used to log into the site (not the customer accounts). These include Magento admin accounts, SFTP accounts, Linux user accounts, and MySQL credentials. This would be the first step to limit the damage.
Create a backup of the site in its current state so that we can do a deeper analysis of the issue later. If needed, we can run forensic scans on the image backup.
Initiate a security scan so that we know what gaps exist as of now. Using a scanner provides a list of loopholes that need to be plugged. The following are some of the popular scanners in the market that can help you.
Adobe has a security scan tool, which can scan the site to determine any flaws and alerts you to the patches that are needed. Refer to https://experienceleague.adobe.com/docs/commerce-admin/systems/security/security-scan.html that can provide more information. Please note this is available only for Adobe Commerce and needs a Commerce account.
We have another site Magereport that can scan a Magento site and let you know any potential known vulnerabilities and make recommendations. This is a FREE tool. It validates against core Magento and not against any custom code that has been written.
This is a generic tool (Sucuri) and is useful to test the website for various components. Useful for a quick analysis of the site against common online threats.
Scan by Foregenix test and provide a high-level report.
Patch Tester is designed to check if the Magento store is vulnerable to any latest security risk.
Mage Scan is not an online scanner; instead, you got to install it on your server. If you are looking to test the intranet Magento site, then Mage Scan would be a good choice.
An enterprise-ready web-based vulnerability scanner (Acunetix) that doesn’t slow down the site during a scan. It offers a comprehensive security scan covering not just Magento specific but overall, everything for the website. We can generate PCI, HIPAA, DSS, OWASP top 10 reports if needed.
Next is checking the users on your website. Sometimes, hackers get unauthorized access to your website. And, they add themselves as a user. This is why it is necessary to audit your user accounts. Find and remove rogue users in the admin table.
There are many vectors for attacks. At the outset we should check the core files.
config.php and env.php are important files for Magento installation. It is part of the Magento 2 deployment configuration and consists of shared, system-specific configurations installed by Magento 2. These files facilitate the connection between the file system and the database. env.php contains database connection credentials. In addition to this, it can also be used for:
The app/etc/config.php is an automatically generated file that stores a list of installed modules, themes, and language packs as well as shared configurations.
Make a backup of the file above as hackers can encrypt this file completely. Restoring it from backup can alleviate the issue at hand.
Configuration changes for Magento can be made using the .htaccess files. It allows users to modify the main settings defined in httpd.conf/apache.conf.
The instructions provided in the htaccess file apply to folders and directories. In addition, the .htaccess file helps you modify how the website is accessed. In addition, .htaccess is available for:
When this powerful file is broken, an attacker can use it to send spam. htaccess files can be injected with malicious code to redirect users
In addition to the files above, Magento also stores configuration is the core_config_data table. Take a backup of the table and compare with the known entries. If there are any suspicious entries mark them for analysis and revert them to original entries. Example, see the image below. This entry in Magento would be either collapsed or text area is small. The white space would be visible, and it would appear as if nothing were there. Just expanding the text area reveals the offending code.
Check the database for any unknown / unrecognized changes in the static blocks, blog posts or pages on the site. Some of the tables are cms_block and cms_page.
Typically, we often find new files which are not usually present. Check for the presence of new files and do not restrict the search only for file extensions. Some of the hacks are hidden in image files. Therefore, a seemingly harmless “png” or “webp” file can in fact contain malicious code that is executed.
Run the deployment commands so that static files are regenerated. Better to delete the static folder before running the deployment commands.
Based on the issue area, use the inspect tab to monitor all outbound requests being made. If we find any unknown or unrecognized domains, we need to block these by reaching out to the hosting provider. Also, we need to find the origin of the request in the code.
Check the code base to see if there are any obfuscated code and database entries. We can use phpMyAdmin tool to connect to the database and check for the same.
If you are subscribed to services like Hotjar or Noibu, would recommend reviewing client sessions. We will be able to see the exact behavior, which is linked to corresponding js files.
It is highly recommended that files that are present on the site are compared with a clean copy, that is usually present in git repository or previous backups (if infectious files are not backed up). If there are any variance in files, then they should be investigated, and a determination should be made. Ex theme files, vendor code.
Once the infection or malware is cleaned out, we need to smoke test just to make sure the critical path is working. This is to ensure that our cleaning efforts have not affected the site’s functionality.
Now that the immediate threat has been resolved, we would suggest a complete security audit of the site be executed by Magento experts who have insight into the security aspect of Magento. The normal Magento developer is NOT tuned to the security aspects of a Magento site.
This audit would provide a list of gaps and rectification for the same. It is highly recommended that the system be updated by which all the gaps are patched out.
In the continuously evolving cyber threat landscape, organizations should prioritize cyber resilience to safeguard their operations. Protecting an ecommerce store from cyber threats requires a comprehensive approach to cybersecurity. Kensium helps you leverage Adobe Commerce, formerly known as Magento, to scale your business and maximize operational efficiency. Our expert Maintenance Support Services team performs monthly monitoring services, reporting, recommend best practices to protect your Magento store from cyber security. With training provided by Kensium experts you can improve your organization's bolster digital defenses, build a resilient future, and ensure a secure and thriving ecommerce store.
Take proactive steps towards safeguarding your ecommerce business’s cyber resilience by scheduling a call today.