During the weekend of September 11th 2020, a large number of webshops still running on Magento 1 have been hacked. After the official End-of-Life of Magento 1 in June 2020, it was well known that webshops still running on Magento 1 would be at serious risk. While a security breach was expected at some point, it wasn’t expected to be on the scale of what took place in this significant hacking campaign.
What happened exactly?
Sansec, a Dutch online security company, managed to detect the various security breaches through their early detection system. They were one of the first to publicly announce the vulnerability and we at MultiSafepay immediately took the risks involved very seriously and started our own investigations. From September 11-14, 1904 webshops operating on Magento 1 were hacked. By injecting malicious code into the checkout section of a webshop, the criminals responsible for the hack managed to skim payment information entered by consumers. This means, the hackers took over the checkout page, where consumer data and credit card data ended up being sent to the hackers before customers could reach the actual payment page and complete the payment.
Your browser does not support the HTML5 Video element.
The consumer is misled by the initial payment form and has unkowningly provided all their credit card details to the hackers.
Jasper Nadi, Senior Developer at MultiSafepay describes the immediate actions we took in regards to the hack:
“As soon as we got notified of this attack happening, we started investigating our merchants to check if they were vulnerable to the CardBleed attack or whether they already were attacked. Luckily, with a swift action of all departments involved we have been able to communicate promptly with Magento 1 users and to actively monitor the situation for our merchants.”
Vulnerability of Magento 1
As Adobe officially ended supporting Magento 1 in June 2020, the platform has become increasingly a liability for merchants, consumers and payment service providers.
The main consequence of the end of Magento 1 was that Adobe was no longer releasing any quality fixes or security patches. This resulted in substantial increase of potential data breaches due to unfixed vulnerabilities. As expected, it didn’t take hackers long to find a weakness in many Magento 1 stores and take advantage.
Therefore, we strongly advise webshops, as always, but now even more importantly, to actively protect their webshop and to take additional measures, like scanning their webshop for any known vulnerabilities, opt-in for third party security patches via Mage-One or similar providers, integrating software scan packages like Sansec offers, and actively following the latest news on potentially security vulnerabilities. Above that, we urge you to verify that you are not susceptible for this type of attack.
Getting the situation under control
In situations like these, it is essential to move swiftly and prevent any (further) damage as our partners, merchants and their consumers rely on us to safely handle payments and consumer data.
Having discovered that the standard URL Magento uses to install programs makes it an easy and vulnerable target for attacks, we quickly set up a campaign to safeguard our merchants’ and their consumers’ data through several steps.
As it turned out, this particular vulnerability could be easily closed by disabling public access to the webshops downloader folder, renaming it or removing it completely.
Through quick action of many teams involved, our partners and the merchants themselves the situation is now under control.
In the future
Our first priority at Multisafepay has always been safety; especially in a situation such as this one.
This situation however provided another learning point, namingly that the payment industry in some cases still needs to explain the responsibility we as the ecommerce industry have towards the consumer market.
As merchants place their trust in payment service providers to provide safe environments to process payments of their consumers, it is imperative that the shop itself also offers a safe environment. Therefore, we cannot emphasize enough the relevance of regular scans, third party security patches and other safety measures.
If you have any questions or want to join us, please feel free to contact us.