Magento eCommerce Web Application Security Guide
Image source: magento.com
Magento (magento.com) is a web based eCommerce application, widely used by online merchants to provide online transaction on shopping or eCommerce website.
HKCERT was aware that a Dutch security researcher Willem de Groot (gwillem.gitlab.io) has released a research report in October 2016 about websites installed with Magento which are vulnerable to ‘online skimming’, i.e. criminals intercepting credit card data by infecting unpatched Magento application on the website. Some of those websites are hosted in or affiliated with Hong Kong. Henceforth this guide is released for online merchants to recover and protect their Magento application.
1. Threats to websites with impacted Magento application
According to the research report, websites with outdated or unpatched Magento application were vulnerable to the following threats:
- Visbot malware, which can allow criminals to intercept credit card and other payment data, and even control your website (Dec 2016)
2. Business impacts arising from breached Magento application
From the research report, criminals mainly target payment and card data from the breached Magento application. Therefore a breach may result in financial loss to the merchants and the clients, and the merchants may be claimed on financial loss or sensitive data leakage by the clients.
3. Recovery of breached Magento application
- You can verify if your Magento application is vulnerable or breached. Please make use of MageReport (https://www.magereport.com/) to get a report about the secruity status of your website.
- You can follow the instructions below to recover your Magento application:
- You are also advised to scan your website with some general scanning tools to find and fix any vulnerabilities of other parts of your website.
4. Prevention of Magento application breach
- Ensure that you have applied the latest security updates (patches) to your Magento application (magento.com/security).
- Ensure that other parts of your website (e.g. server OS, web server etc.) also receive the latest patches.
- Perform regular vulnerability scanning on your website with the tools mentioned above.
- Perform security assessment according to industry or de facto standards such as OWASP top 10 or PCI DSS (applicable to payment card industry).
5. Other potential follow-up on breach
- If you suspected that there is any data breach, you should consider notifying the Office of the Privacy Commissioner for Personal Data (PCPD) according to their procedure.
- If you suspected that there is any financial loss, you may consider to file a crime report in nearby police station.