Rising Attacks Against Ecommerce Sites Built on Magento

Summary

CloudSEK reviews the increase in threat actors targeting websites built on Magento, trying to sell administrative level access to such shops.
Over the past decade ecommerce has steadily influenced consumers’ shopping patterns and behaviors. And the COVID-19 pandemic has accelerated this transition and has driven even the most loyal of offline shoppers to rely on online stores and payments. This surge in traffic to ecommerce platforms has made them attractive targets for threat actors and scammers. Within the first 15 days of 2021, CloudSEK’s flagship digital risk monitoring platform XVigil has identified ~50 threats to ecommerce sites across the world. We have observed threat actors flooding underground and hacking forums with data dumps, admin access, and SQL Injection vulnerabilities to online stores across the world. And what stands out is that many of these platforms are built on Magento. Out of the 50 threats to ecommerce sites, 20% of them affect shops running on Magento.   

What is Magento?

Ecommerce businesses, much like any other business, require customer-facing or front-end components and back-end components to perform functions such as accounting, inventory management, customer service, etc. And instead of creating each of these components and integrations from scratch, businesses rely on platforms such as Magento, Shopify, PrestaShop and others.  Magento, which was acquired by Adobe in 2018, is a PHP based open-source ecommerce platform. It provides online businesses a flexible shopping cart system and allows them to build and customize their store along with additional features such as search engine optimization, marketing, and content management. Since its launch in 2007, Magento has emerged as a preferred ecommerce platform with ~200,000 live sites running on it worldwide, and ~500,000 sites that have used it historically.    Magento usage statistics from Builtwith Magento usage statistics from Builtwith  
Usage by Country
Usage by Ecommerce Category
Country
Magento Instances
India 2,692 Fashion 5,047
United States 82,477 Shoes 4,529
UK 15,649 Furniture 2,535
Canada 2,873 Apparels 2,399
Australia 5,674 Groceries and Food 2,049
Germany 13,303 Jewellery 1,802
Netherlands 11,880 Medicine 1,735
 

Rise in Attacks Against Magento Shops

CloudSEK has observed a marked increase in threat actors trying to sell administrative level access to Magento shops, on underground forums and dark web markets. As seen in the examples below, the posts have some common features:
  • The posts only mention the regions and ecommerce categories, but not the names of the ecommerce shops to which access is being sold.
  • The pricing of each shop is between $500 - $2000, for which buyers have to bid. The cost is usually based on:
    • Region
    • Ecommerce category
    • Revenue
    • Orders per day
    • Alexa rank
  • The pricing of each shop is between $500 - $2000. 
Magento Shop Argentina Magento USA Shop Magento USA Magento sale It is likely that threat actors are exploiting zero days and publicly disclosed vulnerabilities in Magento, to gain access to the ecommerce shops. Past campaigns have heavily relied on “shoplift bug CVE-2015-1397” to compromise the shops.  

Associated Vulnerability Disclosures 

Our investigation shows that the rise in the number of attacks can be attributed to the availability of public exploits and the existence of unpatched internet-facing systems that are running vulnerable versions of Magento. Listed below are critical vulnerabilities reported in 2020:  
Vulnerability
Description
CVE-2020-9576 Remote Code Execution (RCE)
CVE-2020-9578 Remote Code Execution (RCE)
CVE-2020-9582 Remote Code Execution (RCE)
CVE-2020-9583 Remote Code Execution (RCE)
CVE-2020-9579 Remote Code Execution (RCE)
CVE-2020-9580 Remote Code Execution (RCE)
CVE-2020-9689 Path traversal leading to RCE
CVE-2020-9692 Remote Code Execution (RCE)
CVE-2020-9690 Signature verification bypass
 

Upgrade to the Latest Version of Magento

A similar trend was observed during the first half of 2020, when the Magecart campaign targeted shops running on Magento. In this attack, threat actors injected unique skimmer codes into checkout pages to steal sensitive customer information, including credit card details. To impede such concerted efforts by threat actors, it is important to patch any vulnerabilities and upgrade to the latest version of Magento, at the earliest. 

Table of Contents

Request an easy and customized demo for free