With the latest attack on Magento-based web applications (JavaScript sniffing software), it is not the first time the platform has been exploited by malicious individuals.  In a previous blog, we looked at some of the past attacks on Magento and offered some advice on what organisations can do to protect their online payment pages.  Here, we are going to focus specifically on Magento platforms and what you can do to prevent this type of malicious code attack.

Magento continues to be one of the most popular e-commerce platforms, and, according to 2018 figures, is a‘Top 3’ platform.  With popularity comes the downside that Magento-based websites represent a major target for criminals.

The most significant issues associated with many of the Magento website breaches (including the latest JavaScript sniffing exploit) relate to the way the websites are implemented, secured and managed.

URM’s consultants have compiled a number of Magento-related security tips to help you protect your website from security threats, including GMO and beyond.  In our last blog, we discussed the need to update and patch your software, to implement controls to monitor your log files to help detect potential threats and to implement robust user access management.  In this blog, we will expand on these themes and introduce additional measures specifically related to protecting your administration page.

Protecting your Magento administration page

Compromising an administration page is one of the most effective ways of injecting malicious code into your code base.  Attackers will often begin with automated techniques that identify standard web page configurations, then initiate brute force attacks on username/password combinations in order to gain access.  Once they have access to your administration page, they are in a strong position to manipulate information and make unauthorised changes to your code.

By changing your Admin Path from yourwebsite.com/index.php/admin or yourwebsite.com/admin to yourwebsite.com/store/’something-else’, the attackers will need to work much harder to locate your administration page before they can try to modify any code.

Disabling directory indexing makes it more challenging for criminals to work out how to access your Magento core files.  As well as making it more difficult to locate your administration page, you should also be looking to make it more challenging for criminals to traverse your website looking for areas they can exploit.  If you’re able to do this, attackers are more likely to move on to easier targets.

One of the features of Magento is the ability to provide RSS feeds.  RSS, or Really Simple Syndication, is an XML-based data format that is used to distribute information, enabling customers to subscribe to feeds to learn about new products and promotions for example.  Magento also provides an RSS feed for site administrators to quickly check on new orders, newly posted product reviews and to check on stock levels.  In Magento, the administrative RSS feeds are located at:

/rss/catalog/review

/rss/catalog/notifystock

/rss/order/new

To prevent unauthorised access to these feeds, Magento employs a simple authentication box requesting a username and password, the same credentials as for the Magento administration pages. Once authenticated, Magento will display (for example) details of new orders with a link to the corresponding order which, when clicked, will take the user into the Magento administration area.  Magento should again ask the user to enter the same username and password in another login box before taking them to the site.

This system is vulnerable because an attacker can conduct a ‘brute force’ or ‘dictionary’ attack on the initial RSS login box, trying numerous combinations of usernames and passwords until the correct credentials are found.  If the username and passwords are complex, then this attack can be rendered impractical, but simple usernames and passwords can result in a site becoming quickly compromised.

Although creating a custom admin path can make it a lot more difficult for attackers to identify the Magento administration area, if the RSS pages are compromised the attacker will be provided with a clear path to the administration area.

On newer versions of Magento, this functionality is disabled by default, but in many instances RSS feeds may have been enabled even if they are not in use, providing a useful surface for attackers to pivot across to the administration page.

We would recommend that RSS is disabled if not in use or, if the administrative feeds are required, access to them is restricted by whitelisting only authorised IP addresses.

Remember to always keep a copy

Issues can occur in which data becomes corrupted or lost, leaving it irretrievable to the business.  We have observed that a significant number of online merchants do not have a tried and tested backup solution, which makes recovering from a compromise more challenging than it should be.

Backups should be automated (to avoid people forgetting to do them!) and kept offsite. Backups kept on the web server could be corrupted and/or themselves compromised or infected with malware, rendering them useless in an attempt to restore business as usual functionality.  Therefore, keeping your back up copies offsite and separate from your production environment prevents them from being infected/manipulated by the same attackers carrying out an attack on your website.

Detection and monitoring

Monitoring, reviewing and storing a log of all activity on your website is a fundamental security control and key to detecting attacks in order that you can respond quickly.  With logging enabled, you should be able to identify whether any unauthorised access has occurred, as well as observe where any changes to code have been made without prior knowledge or sign-off by the organisation.  In terms of monitoring frequency, the Payment Card Industry Data Security Standard (PCI DSS) requires you to be analysing website activity data at least daily to identify threats.  In terms of how long you should be storing security log data, requirement 10 of the PCI DSS sets the benchmark requiring compliant organisations to store at least 12 months’ worth of such data.

One of the first signs you have been compromised is when files start being added, changed or deleted.  With the increase in use of e-commerce as a payment platform, there is now lots more website activity going on and therefore websites are becoming more difficult to manage and maintain.  Without technology in place to monitor changes, it also becomes increasingly difficult to know whether your code has been compromised and changes are being made by an unwanted outsider.  Proactively monitoring the changes that take place on your website is an essential step in detecting malicious activity and can be done very effectively.

A properly configured, managed web application firewall (WAF) protects you against attacks such as SQL injection, application vulnerability exploits and injected code (such as GMO and other JavaScript sniffers).  A WAF will provide a website with ‘virtual patching’ when a zero-day vulnerability is released.  This protection will buy a web administrator time to test the patch and then update the system in their own time, knowing that the site is being protected and monitored.

Generally, if perpetrators do manage to evade detection and are able to extract transaction data, they will usually store the data in a file somewhere within your site.  The file is used to harvest data later, often this card payment information is awaiting extraction unencrypted.

A regular ‘Primary Account Number (PAN) scan’ of file systems and databases for unprotected cardholder data will identify these files ready for exfiltration and alert you to the issue.

Attacks like GMO and other JavaScript sniffing code involve malware that makes changes to the website codebase.  GMO has been found to be very difficult to detect as it immediately transmits the data submitted by a customer to the outside gmo.li domain (where GMO got its name).  As such, ‘PAN scanning’ should still be considered as GMO is still deemed to be immature and there is no telling if the attack will be modified in future to store ‘harvested data’ before exfiltration.

Keep up to date

There are multiple reasons to use Magento as a platform; the framework makes the building and maintenance of highly effective, high growth e-commerce businesses far simpler and considerably more scalable than bespoke websites.  Due to its open-source nature, Magento has an active community of over 150,000 developers who contribute to the platform by developing extensions to it and providing improvements.

To ensure your website remains secure as your business grows, it is essential to use up-to-date versions of Magento, and that you update as soon as a patch is issued.  Remarkably, huge numbers of websites are compromised daily simply because the latest version of the software is not in use. Unless you are using a WAF to protect your website, you need to update as soon as patches are released.

Magento is a highly customisable platform.  This provides hugely powerful functionality for online businesses, but it also creates a significantly greater security challenge.  Often there are competitive extensions offering very similar functionality.

The first thing to look for are extensions that are actively being developed with regular release cycles.  Most extension-related security situations arise when extensions are found to be insecure and can result in the website being compromised. You need to ensure that the development team remains active in updating and improving the extension.  If an extension has not been updated in a long time, it is more than likely that it has ‘fallen out of support’ and should be avoided.

Another tip for extensions is to only download them from legitimate sources, such as the Magento Connect marketplace.

Manage your users and their access to systems

You will most likely have multiple users logging into your website with a multitude of permissions and functions to perform. It is essential that you:

  • Have a unique set of credentials for each user
  • Know each user
  • Assign the appropriate permissions to them for their role within your business. For example: if you grant escalated privileges to a user temporarily, ensure that you reduce their privileges once they have completed their work. Do not allow sharing of accounts – ensure you understand exactly who is doing what on your website in order that you can correlate users with all log data collected from your website.

We would strongly recommend you create a very strong, complex, unique password to access your admin interface.  With longer and more complex password requirements in place for your staff, you could consider using a password manager tool to track all passwords and even generate strong passwords in line with your company’s password complexity guidelines.

Rather than simply authenticating against a username/password, a better solution would be to use two-factor or multi-factor authentication.  This uses your username, something you know (password) and something you have (e.g. Google Authenticator on your phone).  Multi-factor authentication would utilise the above and also use something you are (e.g. biometric fingerprint scanner) to authenticate your access.  The Magento Connect marketplace is a good place to start looking for extensions so you can adopt multi-factor authentication on your Magento site.

LEarn More - Official2