When you commit to a minimum of six months to our Enterprise plan, we will run a forensic investigation and - if explicitly requested - perform a cleanup for you. Our forensic experts will do the following:
Run an extended examination of your system, covering all aspects of your code base, including database records, embedded assets, system processes, scheduled tasks and any other relevant attack surface. Refer to the section below for a detailed list of relevant components.
This scan typically reveals indicators for a live or past breach (NB. 50% of all eCommerce sites have been breached in the past 5 years!). Pending sufficient log retention, we will investigate any vulnerabilities that may have been exploited in the past 6 months and present a root cause analysis to you.
We will conduct a manual analysis of any potential vulnerabilities or weaknesses of your store, and present you with tailored recommendations. They may include advice on how to harden your configuration, code and procedures, so your store will be among the top-most secure stores of the global Internet.
Finally, we will make sure that eComscan is properly installed in monitoring mode, set up to alert your tech team on your preferred channels, and optimized for your specific hosting architecture.
To get us started, order an Enterprise plan and grant us temporary access (follow these instructions). We are happy to sign an MNDA for the duration of our investigation. We will report back to you within seven days of having received access (but typically, our investigations are completed much faster).
Important
Do not remove or modify any suspicious code, without consulting us. The creation and modification timestamps may be lost, which are vital in a root cause analysis.
Our reporting and root cause analysis is aimed to help you quickly obtain full visibility into the scope of an incident, during the first phase of incident response. Our reporting to you is confidential and may not be disclosed to third parties, such as insurers and payment providers. If you already have full visibility and require reporting for legal purposes, we recommend to engage a PFI consultancy instead.
You can also order a forensic investigation without an Enterprise subscription, which is billed at 450 EUR per hour and takes one to three days.
Sansec is the only forensic investigator who is specialized in Adobe Commerce & Magento security. We have investigated over 10,000 compromised stores since 2015.
Forensic investigation process overview
For a compromised Magento store, we typically examine the following components and behavior.
- Full scan of PHP and JS code files, for known malware and suspect code behavior
- Full scan of revelevant database tables, notably
core_config_data
,cms_blocks
,cms_pages
,sales_order
,quote_*
,admin_users
- Analysis of stored executable code in the database, such as triggers and functions
- Detection of executable code blocks hidden in media or styles assets
- Analysis of system (background) processes
- Analysis of periodic tasks
- Analysis of disk I/O activity during a transaction
- Analysis of network I/O during a transaction
- Analysis of shell activity and initialization code
- Simulation of a customer-initiated transaction via the regular checkout flow
- Analysis of third party hosted Javascript sources
- Scan for obfuscated code blocks
- Semi-automated analysis of web server access logs, covering the suspected attack period
- Historical cross-referencing of HTTP activity and disk I/O
- Cross-referencing network activity with our private database of attacker infrastructure
- Analysis of staff account password strength and 2fa implementation
- Examination of Magento system and error log
- Examination of Magento audit log, if available
- Check for unauthorized backend activity based on trusted IP sets
Beyond these lines of investigation, we conduct a number of proprietary checks, which we cannot disclose for obvious reasons.
This page was last updated at Jan 9th, 2023