Magento, the platform that makes online shopping convenient and easy and allows retailers to create shop fronts and shopping carts for their own websites is under scrutiny owing to high levels of security flaws that don’t affect competitor brands like
Shopify and
Woocommerce.
On one hand standardised platforms like Magento have many advantages, the main one being that e-commerce strategies are now much more widely available to a range of sellers, at a cheaper cost. On the other hand though, the increased numbers using the software represents an opportunity for cyber criminals. Hackers are attracted by the large numbers of users and the accompanying swathes of data, which if exploited in the right way can spell huge profits for cyber criminals and correspondingly huge losses for website owners.
This article will examine the growing cyber attack risk associated with the use of Magento and will comment on what can be done to reduce these risks.
Magento
Magento is an
e-commerce platform, written in PHP, which is designed for use by people who aren’t developers and have limited coding and programming experience. It is open source software, which means that its source code is released to copyright holders, who can change and distribute the software for their own purposes. Magento was originally developed by a company called Varien Inc. who released its first version in 2008. Since then the company has changed hands a few times, with the most recent acquisition being by Adobe. In 2015 Magento 2.0 was released with this version using the MySQL and MariaDB database management systems. This updated version addressed many bugs that were problematic in the first version, for example
Magento 2.0 is more easily customisable, has better page caching and better scalability.
Magento provides users with a system that allows them to control the overall look, content and functions of an online store. It provides a shopping cart system that allows for payments to be made and received in over
50 different payment systems. The system allows users to add promotions and discounts at their online checkouts. Additionally, the Magento platform allows users to benefit from an array of marketing, catalogue management and SEO tools, to boost their own marketing strategies. This system has facilitated online retailers, who previously only had a handful of products to manage a much more complex itinerary of products for sale. Furthermore, plug-ins and themes are available, and these enhance the functionality of the system. The system can also be programmed in a bespoke way, to suit individual needs.
In 2019 adobe launched
Commerce Cloud, a cloud-based version of Magento, which is integrated with Adobe analytics, marketing and advertising tools. Further it is integrated with Amazon and Google. The Amazon integration (a free extension) allows users to manage their Amazon inventory by setting pricing rules on the Amazon sales channel. Multiple Amazon accounts can be handled simultaneously. There is a similar integration with Google Shopping, which is again available for free. It can be used to manage products, and ads from the Magento dashboard.
Magento And Cyber Security
The security of the Magento platform has been in the spotlight in recent years, due to the high numbers of users, and the large volumes of data it handles on a daily basis. A major study conducted by cyber security firm
Foregenix has highlighted a series of security vulnerabilities in the Magento platform. The research was carried out by the firm’s Threat Intelligence Group using a security system called WebScan. Foregenix analysed
9 million websites and concluded that 87% of websites using the Magento platform are at serious risk of cyber attacks. Under 10% of websites using other major e-commerce platforms, like Shopify and Woocommerce were in the same “high risk” category. 2 million of the 9 million sites analysed were European sites and the research suggests that European SME sites using Magento are at a lower risk than those in North America. The research identified sites that had been seriously compromised by hackers and suggest that 1.4% of Magento sites, globally are affected by data harvesting malware operating surreptitiously on their websites.
Other cyber security firms have researched potential flaws in the Magento platform, highlighting just how widespread and serious the problem of security is for Magento. In what was one of the most
significant discoveries of skimming malware that directly affects the Magento platform,
Sanguine Security, a large cyber security company identified a skimming campaign that affected almost 1000 e-commerce sites in just one day. The Magecart code was an automated campaign, which many believe resulted from hackers exploiting a vulnerability in the Magento platform. Some attribute the attack to an SQLi flaw, which was subsequently patched by Adobe, but continued to expose users to possible hackers, even after it was patched.
Magecart is a high profile malware and has caused problems for many high profile companies, including the
BA airline, who received a 183m GBP fine when the malware infected its platforms and compromised the personal data of half a million of their customers. It continues to be used by groups of hackers. Some of these groups target individual websites, however the most worrying campaigns are those that are automated, like those identified by Sanguine Security, because if the scope for mass attacks in short time spaces.
As of 2019, a total of
37 patches have been released by Adobe to address issues across their open source and commercial platforms. The main issues that were addressed included remote code execution, SQL infection, privilege escalation, information disclosure and spamming. These issues are ranked on a metric known as the Common Vulnerability Scoring System Scale (CVSS) to highlight how serious they are and of the 37 issues patched, four scored in the highest “critical” category. One of these was placed in the critical category because it provided access without any authentication.
As we have seen, Remote Code Execution is something that Magento users are particularly vulnerable to. This is where target machines or websites operating on a network, allow extraneous, unauthorised control of their code and websites. Hackers devise bespoke software that functions solely to exploit these vulnerabilities and in this way hackers can override a system’s basic security or authentication processes. Once this is done, malware can be inserted remotely and this can then attack the data and code that exists behind the security system that has been bypassed. This is how a lot of malware attacks on data are started. Systems are particularly vulnerable if they have “simple” passwords that can be cracked quickly and easily by algorithms. This is why one of the most effective things users can do to protect their websites is to create a complicated authentication process, which includes combinations of letters, words and symbols that are hard to guess.
Another common type of attack is called a privilege escalation attack. This is where a spammer may have gained access to an “outer” layer of the site and then uses this “privilege” to infiltrate deeper parts of the site. These are sometimes called horizontal and vertical privilege escalation attacks. These kind of attacks can be combated by introducing different layers of security authentication and more complex passwords to access more important parts of a site, for example where payment data is stored.
What Website Owners Can Do To Improve Security
When
security experts analysed the security flaws and vulnerabilities of Magento, their conclusions were slightly surprising because they found that website owners often needed to do very little to improve their security. Simple remedial actions like downloading Adobe patches quickly and using them appropriately made a huge overall difference to the security of Magento websites.
The experts also cautioned website owners against making the assumption that security breaches are always the result of complex and sophisticated malware campaigns. In fact, most of the security risk arises from neglecting to implement basic security precautions like using security software to regularly scan for viruses. Other risks emanated from not upgrading the version of Magento, with many websites failing to upgrade the whole operating system for the platform.
There are many steps that individual website owners can take to reduce spam-related problems on their own sites.
Spam occurs most frequently where website owners use online forms to gather information. In many cases spammers are trying to place backlinks to their own website, or trying to promote their own businesses. In some cases spam can be used as a way to introduce malware that will attack a website’s authentication system and go on to steal information or gain access to protected systems and material.
As a first measure, it helps to block spammers from the site. This improves the overall look of the website pages and ensures that spammers can’t repeatedly perform the same spamming activity.
Protecting web pages from spammers is a little more complicated. You need to ensure that the forms are easy for genuine users to use and fill out, but, at the same time prevent attacks from spammers. Some website owners can protect their sites by including fields in their online forms that only bots can fill out. Thus, when these are filled out, the owner automatically knows that they must have been completed by a spammer. These can then be filtered out successfully, and kept separate from genuine subscribers and enquiries. A simple settings change can also ensure that these spam submissions are automatically deleted before they ever have to be dealt with by a site administrator.
Since many spammers use automated software to launch their spam attacks some web pages can be protected by making a form hard for a “bot” to complete. This can be achieved by using a script called
CAPTCHA. This method requires a series of questions to be answered to enable a successful submission of the enquiry. The questions are then designed so that only humans and not spambots can answer them successfully. Examples of common techniques include requiring that a novel difference between a series of pictures is identified, or requiring that certain questions are answered correctly before any submission is allowed. This CAPTCHA approach is not without problems though. Some people with sight or hearing impairments won’t be able to see or hear them (if they are in audible form). It is also expensive to design an accessible CAPTCHA system that does not frustrate users. Website owners can find that they are repelling genuine enquiries. Some subscribers will not be able to complete the requirements because they are using mobile phones or ipads to access the forms, and as such website owners will need to ensure that the CAPTCHA system works on multiple platforms. Furthermore, CAPTCHA systems can themselves be hacked. However, the system does protect against many generic, mass scale spambot attacks. These attacks often target the most vulnerable websites and if a website owner makes it even a little harder for the spam attack to succeed, many spammers will shift their focus to more vulnerable websites that make it easy for spammers to spam owing to their lack of even basic security measures.
Experts recommend that the most important forms on a website, like registration forms are protected by a comprehensively designed CAPTCHA script which works on multiple platforms, provides an audible version as well as ensures that it works well for people with visual and hearing impairments.
Other approaches to repelling spam include using a series of questions on forms that are human-friendly, but hard for bots to understand. Requiring answers to simple questions like what is 4+5 will achieve this effectively, without frustrating genuine users too much. It acts as a great filter for spambots, who will fail to make a submission because they can’t answer the simple question.
Other,
more sophisticated techniques can be implemented to ensure a more comprehensive level of protection against spambots. One system involves the use of what is called a “session cookie”. Session cookies are “markers” that are created when a genuine user visits a site. Spambot visits don’t create them, and as such they can be used as a way to tell the difference between a genuine user and a spambot.
Spammers can be identified using IP addresses and problem visitors can be blocked. For example if multiple submissions are received from one IP address within a short space of time, it is likely that that IP address is a source of spam. All future communications from that IP address can be blocked to ensure a quick and simple approach to blocking spam. This is particularly effective as it enables prevention of future attacks that other forms of spam filtering won’t identify until they are actually made.
Artificial Intelligence of AI can be used to effectively combat spam attacks on websites. Spam comments, for example can be scanned using specialist software like
Akismet and problem spammers can be weeded out. This system can be installed as a plug in and is a very popular approach to combat spam. There are other specialist tools for dealing with comment-based spam attacks for example, plug-ins in
WordPress.
Common sense techniques are also recommended as protection against spam. It is helpful, for example to move a
form’s location from time to time. Additionally, changing the format of the form and the type of questions and information gathered helps to “shake off” spammers launching repeated attacks on your website either using automated software, or low paid workers to post and repost spam messages and enquiries.
Each individual approach to protecting websites from spam has its own individual advantages and disadvantages. Because of this, and because spam attacks are constantly evolving, it is recommended that a combined approach to spam filtering and prevention is adopted. However, anybody implementing a combined approach to spam detection and filtering needs to bear the user in mind and ensure that site functionality is not compromised to ensure that spam is adequately dealt with.
How Can Magento Users Avoid Cyber Attacks?
Since the cyber security problems surrounding Magento have been identified and discussed in the media, Adobe has worked hard to address security flaws and malware entry points. However, it is important for Magento users to avoid the temptation to see this as simply a “Magento issue”. Website security needs to taken seriously, first and foremost by the individual user.
Individual website audits should be carried out to identify security vulnerabilities that are specific to certain users and a bespoke security approach should be adopted to reduce the risks. Magento users can also do a lot to help themselves by implementing some simple, but effective security routines like using strong passwords that include numbers, letters and special characters to protect authentication processes and requiring users to create strong passwords when creating individual accounts for their own use.