Ecommerce platforms (cough, Magento) need patching before Black Friday, warns UK's National Cyber Security Centre
You're your own security team, remember?
If you run a small online business powered by the Magento ecommerce platform, Britain's National Cyber Security Centre (NCSC) is begging you to make sure it's fully patched ahead of Black Friday.
"Retailers are urged to ensure that Magento – and any other software they use – is up to date," said the GCHQ offshoot in a statement today, adding it had notified 4,151 online stores that their Magento installations were vulnerable to compromise by criminals.
"The majority of the online shops used for skimming identified by the NCSC had been compromised via a known vulnerability in Magento, a popular e-commerce platform," said the cybersecurity agency.
Magento is one of the more widely used open source e-commerce platforms. Although the company was bought out by Adobe a few years ago and a paid, managed version is available, many SMEs are skipping that to cut costs.
Compromising Magento to steal customers' credit card details is a problem that has lingered for years – and the barrier to entry for this kind of digital crime isn't very high, as Dutch infosec firm Sansec noted last year after spotting a video offering Magento hacking tips for just $5,000.
Willem de Groot, MD of Sansec, told The Register that card-skimming is a real headache around this time of year.
"Every year," he lamented, "Sansec observes an uptick in online skimming incidents in the week before Black Friday. Since 2015, we have discovered more than 60,000 online stores with an injected payment skimmer."
He recommended double-checking that Magento installations are fully up to date (the latest open source version is 2.4.3-p1) and enabling multi-factor authentication on staff accounts – and also encouraged consumers to use so-called "one-time" credit card numbers, which are available through some banks.
NCSC deputy director for economy and society Sarah Lyons said in a canned statement: "We want small and medium-sized online retailers to know how to prevent their sites being exploited by opportunistic cyber criminals over the peak shopping period."
Generic IT advice, including stuff aimed at non-techies, is available on the NCSC website.
Attacks on Magento installations are so popular in the criminal underworld that they spawned an entire industry of card thieves loosely known as Magecart. Magecart gangs mostly target ecommerce platforms, no longer limiting themselves to the Adobe-owned software that proved so lucrative for them.
- Russian hacker selling how-to vid on exploiting unsupported Magento installations to skim credit card details for $5,000
- Badmins: Magento shops brute-forced to scrape card deets and install cryptominers
- Magecart malware merrily sipped card details, evaded security scans on UK e-tailer Páramo for almost 8 months
Infosec firm RiskIQ, one of many vendors tracking Magecart's various Hydra-like incarnations, noted in 2019: "Web skimming goes well beyond Magento. Skimming groups target almost any web environment, including dozens of other online shopping platforms used by stores around the world."
There's one more thing that everyone can do to protect themselves against card fraud during this weekend's US-inspired Black Friday/Cyber Monday shopping frenzy.
"Monitor your card statements, especially in the holiday season," warned Sansec's de Groot. ®