Auxiom Logo Outsmart Chaos Gold

Magento Vulnerability


(0:04) Hi, I’m Earl Duby, I’m the Chief Information Security Officer here at Auxiom. 

(0:09) I wanted to take a minute today to talk to you about something that’s been happening more and more frequently lately, and that is the planting of malware on e-commerce sites.  

(0:20) So a company called, let’s see, a company called SanSec recently came out with a report where they had indicated that several websites, e-commerce sites, had been found with a type of malware that includes a card skimmer or a payment skimmer device. 

(0:39) And so what they found is that a very well-known organized crime unit has figured out a way to inject malware into Magento websites.  

(0:51) So Magento is a platform used mostly for e-commerce sites. And what they had found is that this malware group, this organized crime group, has been systematically installing this malware on e-commerce sites. 

(1:05) And what I really want to talk about is, one, the vulnerability that they’re using to get this malware onto websites has been already documented. Adobe has released a patch for it, and yet that patch hasn’t been installed on these websites that are being compromised.  

(1:23) So it just, again, it stresses the importance of vulnerability management, keeping up to date on these vulnerabilities that get published by the manufacturers of the software, and just how quickly these vulnerabilities get exploited. 

(1:40) So this patch had been released on February 13th of this year, so a little over a month ago, and yet we’re already seeing exploitation of this vulnerability on live websites.  

(1:51) So it just shows how this window of opportunity is really shrinking between when a vulnerability gets released and when you have to apply the patch.  

(2:02) What it also kind of led me to believe, or led me to think about, was Magento is one type of website. It’s used for e-commerce and things, but a lot of people have WordPress websites and different other websites that are on different platforms.  

(2:21) And most of them are not webmasters, they are not web developers. So you have people who are inexperienced at building websites, and that’s why they’re using these platforms that are kind of ready-made, and you just have to do slight customizations. 

(2:36) But the problem is, if you don’t really understand how a website operates, you’re pretty likely to leave open some configuration gaps, and leave things open that can be later exploited by very skillful, malicious actors.  

(2:54) And so it gets you to think about using professionals to host your website. So use companies that really understand how to design websites, how to configure their websites, and they will manage those risks for you. 

(3:14) They will manage the vulnerabilities when they get released by Adobe or whatever the vendor is. These professional hosters will go fix those websites for you.  

(3:26) If you have any questions on that, you can give us a call. We know people that run WordPress websites and can really do that hosting for you.  

(3:36) Because it’s really critical to understand how to lock that website down, especially if you’re doing e-commerce through there, because if you get one of these skimming software packages on your website, and you have malicious actors stealing those credit cards, obviously your customers are going to get impacted by that, which is potentially going to lead back to you, and you won’t have those customers anymore.  

(4:01) So it’s really important that you look out for not just yourself, but you’ve got to look out for your customers and the people that are using your websites. 

(4:09) So it’s really the due diligence on your part to take the proper security precautions.  

(4:17) Another thing about this Magento, as I was looking into it, Magento 1, version 1, is end of life. You shouldn’t even be using that platform anymore. 

(4:27) You should really migrate to Magento 2, which introduced a bunch of other security controls, such as encryption and two-factor authentication.  

(4:38) Because as you put these websites out there, you really need to protect not just the site itself, so you don’t get these skimming software packages and things like that out there, but you also need to protect the admin interfaces with two-factor authentication, which will then give you another layer of protection so that you don’t have to worry about your site getting hijacked by some malicious actors. There’s a lot of things to consider. 

(5:06) If you’re not a professional web developer or web designer, you really should think about getting that hosted by a third party.  

(5:15) And again, if you have any questions on that, give us a call.  

(5:18) We can help you find someone that can get you what you need, and hopefully you can protect yourself and your customers. 

(5:25) All right, thank you. 


Related Posts

Duo Breach

The well-known multi-factor application Duo was recently breached. Chief information security officer, Earl Duby, shares some more details on the beach.

Read More »