Sansec reports new Magento 1 hackPradip Shah
Over the weekend of Sept 11, 2020, Sansec reported a web skimming attack on Magento 1 stores. It was the largest single day automated attach recorded by Sansec.
What are skimming attacks?
“Skimming” attacks are malicious code added to your website so when a site visitor is entering any personal information including credit card, the content is “skimmed” and sent to the attacker.
The website looks completely normal.
Some attacks are also called “Magecart” attacks.
In Magento we see 2 popular ways
- Break the admin password and upload content to “Miscellaneous Header” or “Miscellaneous Footer” sections.
The current attack is of the second variety.
Stores on luroConnect were not attacked!
luroConnect has many rules that helped prevent this attack from affecting any of our Magento 1 websites.
Rule 1 : “/downloader” URL is not accessible on any live or staging website. We expect code to be deployed through git and expect the developer to use a manual process to install modules. We disallow magento connect based installation in any of our managed websites.
Rule 2 : Our web directory owner and hosting users are different. Hosting user is the user php code runs as. Moreover, /skin folder is not writable by the hosting user.
Rule 3 : We use a static minifier and deploy the code to a folder skin.min which is not in git. The /skin folder itself is never used.
Rule 4 : Staging and dev environments are protected using a HTTP Basic Authentication. Automated attack vectors would need to add a password guesser before they can reach the staging URLs. This is assuming a developer would have relaxed permissions in the dev environment.
Rule 5 : Our platform bars ssh access to the hosting user. This prevents any accidental change in permissions being permanent. Even in the rare case ssh access is given (for debugging purposes), upon relinquishing the access, we sanitize the environment with default permissions.
How to protect your store?
One of the best ways is to sign up for Sansec’s security scanner eComscan
luroConnect is a very secure platform for Magento hosting. We call it layered security – from a secure file system and strict folder permissions, to an inbuilt WAF with configurable rules to partnering with Sansec for security scans.
We host you on your cloud or physical hardware using our stack. Learn more about our plans here.