Rogue admin accounts in Magento and Adobe Commerce (+ 10 tips)

Rogue admin accounts can be a significant headache for any merchant.

These accounts, which are created or compromised without proper authorization, can give an attacker access to sensitive data, the ability to change system configurations, and install malware.

One of the biggest challenges with rogue admin accounts is that they’re hard to detect. After all, they are authorized accounts :), so they may not raise any red flags at first glance.

Attackers have been known to use:

1. Spearphishing: compromise a regular admin account by requesting a password change by email. Attackers derive email addresses from the web, Linkedin, and your own websites.
2. Use passwords from other attacks. 1.000’s websites have been hacked and are a goldmine of username (email) and password combinations. Google for “haveibeenpwned”.
3. Guess of brute force passwords. Attackers will try the most common ones in use (password123, combinations of names, etc.).
4. Rogue accounts can also pretend to be vendors: [email protected], [email protected], etc. Some are legitimate; some are malicious.

So, what can you do to prevent rogue admin accounts from cropping up in the first place? Here are a few best practices to keep in mind:

1. Implement robust, unique passwords for all admin accounts. Have users use a password manager to make it easy and fun.
2. Use 2FA (2-Factor Authentication) wherever possible. This provides an additional layer of security by requiring users to provide a second form of authentication, like a one-time code sent to their mobile phone.
3. Test your users with a phishing email. “He $name, please update your password here! We need to improve our security, Sansec said so! Thanks, $ceo-name”.
4. Regularly monitor for suspicious activity. This could include failed login attempts, unusual IP addresses, or large amounts of data being transferred.
5. Keep your software up-to-date. This includes Magento (Adobe Commerce) and any extensions you use. Run a vulnerability scanner to get immediate notifications. Outdated software is the easiest way in for automated attacks.
6. Limit the number of admin accounts. Only give access to the people who need it or temporarily upgrade and downgrade a user.
7. Limit access to specific IP addresses or ranges. Use a VPN or other secure connection when accessing the admin panel remotely.
8. Regularly check for and remove any old or inactive admin accounts, to reduce the number of potential entry points for hackers.
9. Use something to detect malware and scan your Magento store’s backend. A frontend scanner like the “Magento Security Scan” will not find malware hidden in your checkout or PHP.
10. Use a firewall to block suspicious IPs and login attempts.

Have a conversation with the merchant about security and these best practices. Everyone who’s ever been hacked would love to have had this conversation in the months before it happened.