Magent-a-Gheddon: The Aftermath
The first big hack of Magento 1 stores has been made public. There are undoubtedly more to come. In this case, I hate being right. But, well, I told you so!
Why Magento 1 Is Such A Juicy Target For Hackers
Despite what you see in the movies and on TV, hacking is more about hard work than it is brilliance. Professional hackers, (i.e. those who are in it for the money and not just for the lulz) are a pretty hard working group. They tend to be patient, methodical, and disciplined because that is how you succeed.
Truly dedicated hackers are usually not trying to prove they are the best hacker, rather, they are looking for success.
Poorly-secured Magento sites are a gold mine for them: they are easy to break into to process credit cards, take over servers to mine cryptocurrency, or to be used for a wide range of other nefarious purposes. Some will even embed bots in the site so they can take over the server and your customers’ machines in the form of a botnet. After building a botnet, the hacker can sell or rent access to it on the dark web for a variety of purposes including DDOS attacks. The hacker doesn’t care what the bots are used for but, rather, seeks to maintain the botnet so it can be rented out.
Announcing End of Support for Magento 1 Was A Hacker’s Dream
Keeping Magento (and other open source platforms) secure is like a game of whack-a-mole. Rarely does an exploit show up in Magento’s code base (though it does happen). Normally the exploit comes from PHP (the programming language used to create Magento) or the web server (there are several).
As exploits are discovered ‘in the wild’ or brought to the attention of the PHP or Magento developers by white hat hackers, those companies issue patches that agencies and systems integrators can apply to close the resulting security hole.
While much can be done from a hosting perspective (like Razoyo Fortress Hosting) to protect a Magento site, many agencies and developers use more plain-vanilla setups. A hacker then crawls the web to find setups that run the right combination of software for their exploit. They inject their control script and gain control of the server.
Lying In Wait To Deceive
Smart hackers don’t just start syphoning off credit cards or installing bitcoin mining apps right away: they first lay the groundwork to cover their tracks and ensure that the machine will remain available to them.
When a developer applies a patch it can ruin their whole exploit. So, they start laying traps which will ensure access even after the new patch is applied or to keep it from being applied in the first place. Then, they start installing scripts and building out back doors. In fact, a common strategy involves applying patches and removing malicious code from previous amateur hacks, to ensure they have sole access.
Mannah From The Sunset
Any time an open source platform used to run 100,000s of ecommerce sites sunsets, it creates opportunities for hackers. Many have been biding time for months, planning for this very moment. Knowing that no patch is coming from Magento makes their job that much easier.
Various reports indicate that there are still tens of thousands of sites still on Magento 1. I’m sure the past few months has been a race among black hat hackers to secure as many M1 sites as they can. In fact, Sansec reports that over 2,000 Magento 1 sites were hacked just over the past weekend. I’m sure there will be more.
How Razoyo Ruins Hackers’ Dreams
Razoyo has worked on many, many Magento sites that were developed by other teams over the years. One of our rules of engagement is to do a full technical analysis of the current build before agreeing to a new retainer process or recovering a failed implementation.
Among other things, we evaluate the current site’s security status and look for potential existing intrusions. We have seen numerous intrusions and tactics used.
Often, the way in (hackers call it the ‘entry vector’) is provided by the merchant themselves.
The allure of low-cost, manual SEO from outsourced, overseas companies can be very tempting for the client. Many of them simply don’t have the correct security patches or have a bad apple working who sells access on the side. If an SEO company asks you for SSH access to your server, don’t walk, run!
However they get in, we apply a number of techniques to secure the site including tighter server security, version control, upgrading and/or patching server software and programming languages, forcing admins to reset passwords, adding logging, and a number of other measures. Clients hosted on Razoyo Fortress get all of these measures as part of the package.
As always, we recommend following security protocols developed by the hacking community.