Over the past decade ecommerce has steadily influenced consumers’ shopping patterns and behaviors. And the COVID-19 pandemic has accelerated this transition and has driven even the most loyal of offline shoppers to rely on online stores and payments. This surge in traffic to ecommerce platforms has made them attractive targets for threat actors and scammers.
Within the first 15 days of 2021, CloudSEK’s flagship digital risk monitoring platform XVigil has identified ~50 threats to ecommerce sites across the world. We have observed threat actors flooding underground and hacking forums with data dumps, admin access, and SQL Injection vulnerabilities to online stores across the world. And what stands out is that many of these platforms are built on Magento. Out of the 50 threats to ecommerce sites, 20% of them affect shops running on Magento.
What is Magento?
Ecommerce businesses, much like any other business, require customer-facing or front-end components and back-end components to perform functions such as accounting, inventory management, customer service, etc. And instead of creating each of these components and integrations from scratch, businesses rely on platforms such as Magento, Shopify, PrestaShop and others.
Magento, which was acquired by Adobe in 2018, is a PHP based open-source ecommerce platform. It provides online businesses a flexible shopping cart system and allows them to build and customize their store along with additional features such as search engine optimization, marketing, and content management. Since its launch in 2007, Magento has emerged as a preferred ecommerce platform with ~200,000 live sites running on it worldwide, and ~500,000 sites that have used it historically.
Rise in Attacks Against Magento Shops
CloudSEK has observed a marked increase in threat actors trying to sell administrative level access to Magento shops, on underground forums and dark web markets. As seen in the examples below, the posts have some common features:
- The posts only mention the regions and ecommerce categories, but not the names of the ecommerce shops to which access is being sold.
- The pricing of each shop is between $500 – $2000, for which buyers have to bid. The cost is usually based on:
- Ecommerce category
- Orders per day
- Alexa rank
- The pricing of each shop is between $500 – $2000.
It is likely that threat actors are exploiting zero days and publicly disclosed vulnerabilities in Magento, to gain access to the ecommerce shops. Past campaigns have heavily relied on “shoplift bug CVE-2015-1397” to compromise the shops.
Associated Vulnerability Disclosures
Our investigation shows that the rise in the number of attacks can be attributed to the availability of public exploits and the existence of unpatched internet-facing systems that are running vulnerable versions of Magento. Listed below are critical vulnerabilities reported in 2020:
|###### Vulnerability||###### Description|
|CVE-2020-9576||Remote Code Execution (RCE)|
|CVE-2020-9578||Remote Code Execution (RCE)|
|CVE-2020-9582||Remote Code Execution (RCE)|
|CVE-2020-9583||Remote Code Execution (RCE)|
|CVE-2020-9579||Remote Code Execution (RCE)|
|CVE-2020-9580||Remote Code Execution (RCE)|
|CVE-2020-9689||Path traversal leading to RCE|
|CVE-2020-9692||Remote Code Execution (RCE)|
|CVE-2020-9690||Signature verification bypass|
Upgrade to the Latest Version of Magento
A similar trend was observed during the first half of 2020, when the Magecart campaign targeted shops running on Magento. In this attack, threat actors injected unique skimmer codes into checkout pages to steal sensitive customer information, including credit card details. To impede such concerted efforts by threat actors, it is important to patch any vulnerabilities and upgrade to the latest version of Magento, at the earliest.