Sansec reports new Magento 1 hack
Over the weekend of Sept 11, 2020, Sansec reported a web skimming attack on Magento 1 stores. It was the largest single day automated attach recorded by Sansec.
What are skimming attacks?
“Skimming” attacks are malicious code added to your website so when a site visitor is entering any personal information including credit card, the content is “skimmed” and sent to the attacker.
The website looks completely normal.
In September 2018, British Airways revealed that 380,000 passenger information had been skimmed from the website. The modus operandi for this attack was access to the code (possibly the version control of a 3rd party javascript module used on the website). The attack went undetected for months.
Some attacks are also called “Magecart” attacks.
In Magento we see 2 popular ways
- Break the admin password and upload content to “Miscellaneous Header” or “Miscellaneous Footer” sections.
- Upload a php code file which in turn loads the real malicious code in javascript in the page – either directly into the page or modify a known javascript file.
The current attack is of the second variety.
Stores on luroConnect were not attacked!
The attack as described by Sansec in the article used the Magento connect to bypass Magento admin and upload malicious code in javascript files to facilitate skimming of credit card information.
luroConnect has many rules that helped prevent this attack from affecting any of our Magento 1 websites.
Rule 1 : “/downloader” URL is not accessible on any live or staging website. We expect code to be deployed through git and expect the developer to use a manual process to install modules. We disallow magento connect based installation in any of our managed websites.
Rule 2 : Our web directory owner and hosting users are different. Hosting user is the user php code runs as. Moreover, /skin folder is not writable by the hosting user.
Rule 3 : We use a static minifier and deploy the code to a folder skin.min which is not in git. The /skin folder itself is never used.
Rule 4 : Staging and dev environments are protected using a HTTP Basic Authentication. Automated attack vectors would need to add a password guesser before they can reach the staging URLs. This is assuming a developer would have relaxed permissions in the dev environment.
Rule 5 : Our platform bars ssh access to the hosting user. This prevents any accidental change in permissions being permanent. Even in the rare case ssh access is given (for debugging purposes), upon relinquishing the access, we sanitize the environment with default permissions.
How to protect your store?
One of the best ways is to sign up for Sansec’s security scanner eComscan
luroConnect is a very secure platform for Magento hosting. We call it layered security – from a secure file system and strict folder permissions, to an inbuilt WAF with configurable rules to partnering with Sansec for security scans.
We host you on your cloud or physical hardware using our stack. Learn more about our plans here.
