View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 12, 2019

Magento Implores Users to Patch as Card Skimmers Proliferate

The 'hot fix' does not mitigate the "effects of an earlier attack.”

By CBR Staff Writer

Ecommerce platform Magento is “strongly” recommending that its customers install its latest security patches, with hackers exploiting a recently disclosed remote code execution vulnerability on unpatched shopping sites to steal card details.

Magento, bought by Adobe for $1.68 billion in May 2018, is an open-source ecommerce platform through which users build online stores, making it a ripe target for threat actors looking to steal shoppers’ financial credentials.

Magento-powered stores have previously been widely hit by the so-called Magecart threat group(s), which exploit code vulnerabilities in the platform to layer fake payments pages on ecommerce sites, then skim payments.

Read this: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers

The platform is warning users that Magento Commerce v2.3.1 and Page Builder Beta are in urgent need of a security update.

Otherwise attackers can “enable an unauthenticated user to insert a malicious payload into a merchant’s site and execute it.”

The security alert comes after Magento released a patch for the vulnerability CVE-2019-8144, a remote code execution exploit that allows hackers to inject malicious payloads into Magento via PageBuilder template manipulations.

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation

The E-commerce platform pushed out patches for the vulnerability at the beginning of October, but are warning all merchants this week afresh to make sure they have installed the latest security updates.

Prime Target

Magento sites continue to be low hanging fruit for attackers.

As the UK’s National Cyber Security Centre (NCSC)’s annual report notes, the agency shut down 1,102 attacks running skimming code on the platform. “They [Hackers] had written malicious JavaScript code which copied all credit card transactions and silently sent the results to domains controlled by them.”

Once users have applied the latest security updates Magento is strongly recommending that everyone assesses the security of their Magento site to confirm that it was not potentially compromised before upgrading: “Applying this hot fix…will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack.”

Magento Security Warning Recommendations

For customers running Magento 2.3.1—

  • Install the MDVA-22979_EE_2.3.1_v1 patch now, and then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
  • Review your site and your server for signs of potential compromise.
  • Please note that editing an email template will not work as expected after the MDVA-22979_EE_2.3.1_v1 patch has been applied. However, this feature still works as expected from the email templates grid.

For customers running Magento 2.3.2 —

  • Install MDVA-22979_EE_2.3.2_v1 patch now, then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
  • Review your site and your server for signs of potential compromise.
  • “Merchants running unsupported versions of Page Builder, such as Page Builder Beta, should follow the instructions for the version of Magento 2.3.x they are running.”

In an advisory note to Magento Commerce Cloud customers, the platform states that due to security measures implemented to block this vulnerability administrators will not be able to view previews for products, blocks and dynamic blocks.

Magento is working on this issue.

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU