Magento Attacks

One trend we are seeing in the market at present is an increase in the use of JavaScript Sniffers (JS Sniffers).  In short, these sniffers are a type of malicious code which is injected/placed into a website with the sole intention of stealing personal data, names, credentials etc. from customers using that website.  Most recently, we have had the MageCart JS Sniffer code that affected a number of global retailers and where the injection of a few lines of code into certain webpages resulted in the attacker capturing the website users’ full details when users clicked the submit button.  These attacks were highly targeted and tailored to individual payment pages.

The threat intelligence company Group-IB has reported that 7 online stores in the UK and the US, (including Fila the global sporting goods company) have been targeted by a Magento-specific JS Sniffer, which Group-IB has dubbed ‘GMO’ after the gmo[.]il domain.  All of the infected sites where GMO has been found to be injected are running the Magento e-commerce web platform.  In the same trend as the previous Magecart attacks, the code has been manually injected suggesting that criminals are becoming more proficient at targeting specific payment pages and implanting malicious code unnoticed.  In September 2018, Fila ’s vulnerability was reported by a Malwarebytes researcher (Jérôme Segura) who posted a line of the code to his Twitter account.  Segura noted a Brazilian Fila website that was previously found to be infected and that some of the domains used in the attack were the same as the ones found in the compromise he discovered.

Group-IB has stated that GMO is one of the 15 families of sniffers it has recently discovered and plans to detail in an upcoming research paper.  A significant issue organisations is how to detect the unauthorised code change on the site or even the unauthorised access to their web platform.

Although these sniffer codes may seem relatively simple to both experienced analysts and laypeople alike, they are proving to be a huge problem for many e-commerce platforms.  In September 2018, it was reported that a card skimming operation compromised 7,339 Magento-based online stores.  This vulnerability was known as Magento core and criminals, at its height, were infecting up to 50-60 stores’ websites per day with the parasite.  Similarly, through exploiting security holes in Magento or using compromised accounts, hackers were able to access the administrative control panel of e-commerce platforms and change the code on the site to their own compromised code.

What can you do?

There are a number of things that you can do to try and avoid the malicious code being placed on your platform.  Below we discuss some security best practices that can be applied to your web applications to strengthen security controls and help avoid malicious code being injected into your website without your knowledge.

Legacy systems and services are a common cause for concern.  When a system goes ‘end of life’, the support for that system will diminish and patches will no longer be available.  Even on in-date systems, patches should be reviewed and applied within a reasonable timeframe to ensure there is maximum protection from malware.

A key layer of your defense is detection.  Detecting unauthorised access or unauthorised code changes is an effective way of ensuring no code changes are made without notification.  Log files are an effective way of detecting unauthorised access/changes to your systems. Regular log reviews are invaluable to detect malicious activity.  If your systems transmit cardholder data, there is a good chance you are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS).  Requirement 10 of this comprehensive standard mandates logs for in-scope systems to be collected, reviewed and stored for at least 12 months.  These attacks are occurring and are not being noticed.  Fila.co.uk being a case in point where the site was believed to have been compromised in November 2018 and the malware only removed in March 2019.  Proactive monitoring of log files will help pick up intrusion or unauthorised code changes more quickly.

Allocating budget to install a web application firewall on your e-commerce page provides another method of detecting and blocking unauthorised traffic / access into your website.  By utilising a firewall, you can whitelist information sources and only allow traffic from known, trusted locations.

A less expensive alternative for blocking unauthorised traffic is to configure the Content Security Policy (CSP) on your website.  The CSP is an effective way of preventing cross-site scripting, clickjacking and code injection attacks on your platform.  Again, It provides you with the capability to whitelist the sources from which you accept content.  Although this is not as effective if you have suffered from an attack through a compromised account, it will limit the amount of places content can be accepted and modified on your site.  You can find more information on this topic here: https://en.wikipedia.org/wiki/Content_Security_Policy

Another option is to utilise subresource integrity (SRI) to ensure that the browser verifies that it is only pulling (or ‘fetching’) resources that have not been unexpectedly modified – through the use of a cryptographic hash that must be met upon delivery.  If you are using a content delivery network to host files (such as scripts), you can implement SRI to ensure that any packets sent have not been intercepted and modified in transit.  This can pick up on injected code or any other changes that were made to the packet. Further information can be found here: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

User access control is also an effective method of reducing the risk of an attack of this type through compromised accounts with elevated privileges.  Many websites will have their code updated by non-technical staff (Marketing for instance) who have administrative access to the control panel where code changes occur.  Multi-factor authentication on admin accounts is an effective measure for ensuring that accounts with the privileges to make changes are locked down as much as possible to reduce the likelihood of them being compromised and misused.  Anyone or anything that can modify access or content should have multiple layers of authentication.

Similarly, this is also a good opportunity to remind your staff of their information security responsibilities through continued training around best practice (e.g. managing password complexity).

LEarn More - Official