Magento software

Update Magento before Black Friday, urges UK NCSC • The Register

If you run a small online business powered by the Magento e-commerce platform, the UK’s National Cyber ​​Security Center (NCSC) is begging you to make sure it’s fully patched before Black Friday.

“Retailers are urged to ensure that Magento – and any other software they use – is up to date,” the branch of GCHQ said in a statement today, adding that it had informed 4,151 online stores that their Magento installations were vulnerable to compromise by criminals.

“The majority of online stores used for skimming identified by the NCSC had been compromised through a known vulnerability in Magento, a popular e-commerce platform,” the cybersecurity agency said.

Magento is one of the most widely used open source e-commerce platforms. Although the company was acquired by Adobe a few years ago and a paid and managed version is available, many small businesses are ignoring it to cut costs.

Compromising Magento to steal customers’ credit card details has been a problem that has persisted for years – and the barrier to entry for this type of digital crime is not very high, as the Dutch company noted. infosec Sansec last year after spotting a video suggesting the Magento hack. tips for only $ 5,000.

Willem de Groot, Managing Director of Sansec, said The register that card skimming is a real headache this time of year.

“Every year,” he lamented, “Sansec sees an increase in incidents of online skimming in the week leading up to Black Friday. Since 2015, we have discovered over 60,000 online stores with a payment skimmer injected. . “

He recommended rechecking that Magento’s installations are fully up to date (the latest open source version is 2.4.3-p1) and enabling multi-factor authentication on staff accounts – and also encouraged consumers to use what is called “single use”. credit card numbers, which are available from some banks.

Sarah Lyons, deputy director of economics and society at NCSC, said in a statement: “We want small and medium online retailers to know how to prevent their sites from being exploited by opportunistic cybercriminals during peak periods. purchases.”

Generic IT tips, including items for non-technicians, are available on the NCSC website.

The attacks on Magento installations are so popular in the criminal world that they have spawned a whole industry of card thieves loosely known as Magecart. Magecart’s gangs primarily target e-commerce platforms, no longer limited to Adobe-owned software that has proven to be so lucrative for them.

Infosec RiskIQ, one of the many providers who follow the various Hydra-like incarnations of Magecart, noted in 2019: “Web skimming goes far beyond Magento. Skimming groups target almost every web environment, including dozens of other online shopping platforms used by stores around the world. “

The Magecart groups were at the origin of the infamous compromises of British Airways and Ticketmaster.

There is one more thing everyone can do to protect themselves against card fraud during this weekend’s Black Friday / Cyber ​​Monday shopping spree.

“Watch your card statements, especially during the holiday season,” Sansec’s Groot warned. ®