The majority of online stores have never been hacked and, as a result, take a somewhat lax approach to cybersecurity. However, no less than 20% of all online stores get hacked every year, which means it might only be a matter of time until yours becomes the next victim.
This is what happened to one of our clients. Due to his attentiveness - and a bit of luck! - this merchant noticed some abnormalities in his store’s code. He wasn’t using our malware scanning technology at the time, so he reached out to us for extended research.
Investigate the attack first, fix the problems later
Counterintuitively, we always insist that you don’t make any changes to your website if it has been hacked. If a merchant removes the malware her/himself, the root cause analysis may fail and some vulnerabilities may remain undetected. If the original vulnerability remains, the attacker probably reinfects the web store. Hacking groups often work with automated systems, probing lists of ecommerce websites for known vulnerabilities and automatically reinfecting them again and again.
At Sansec we monitor 150.000 Magento & Adobe Commerce ecommerce websites with our Early Breach Detection Network. According to this data, a significant percentage of all web stores get reinfected within a matter of days. Reinfection happens by exploiting the same vulnerability or because after the initial breach a backdoor was installed. A backdoor is a secret entrance, well hidden in the web store, with the sole purpose of being able to enter again after a superficial cleaning was done. Backdoors are hard to find without a specialized malware scanner, they can “live” in databases, memory, and somewhere in a legitimate file.
Results of the root cause analysis
Typically when we do a root cause analysis, we report in a similar way as we did below in this customer case.
The root cause was an admin breach on 2021-03-04. This happened at 17.47:50 (z-time) and was done by a foreign IP (DE .**..**) This actor uploaded a backdoor (errors/log.php), through which several uploads were done. As the timestamps of all found malware were after the creation of the backdoor, we can assume this backdoor was used to upload all malware found.
A large number of foreign POST requests were found on your admin panel. This suggests a brute force attack was performed to obtain user/password information of your backend. In 2021, more than 250.000 such requests were found in your access logs.
In this case, the merchant suffered multiple hacks:
- An admin password was hacked by doing a brute force attack
- 2 credit card skimmers were installed to hijack customer payment data
- Several backdoor/file uploaders for perpetual access, to make sure the credit card skimmers could be reinstalled when removed.
A credit card skimmer is a piece of software (malware) that silently steals credit card information during the checkout process. It makes a copy of the customer and payment data, such as credit card number, holder name, CVV, and expiry date. It is likely this hack would have remained under the radar for a long time if it wasn’t for the merchant’s accidental discovery of an abnormality in the code. After all, it is in the hacker’s best interest to remain undetected, to keep on gathering data without being discovered. Another strategy of hackers is to stay dormant and wait until something big is happening, such as Black Friday, in an attempt to steal more data at once.
What if the merchant failed to detect and remove the credit card skimmer and backdoors?
Firstly, the goal of credit card skimmers is rather obvious - to steal money from oblivious customers. If multiple customers find that their credit cards have been charged, it is only a matter of time until their bank or card issuer finds out which store is responsible for the data loss. On top of this, major hacks in ecommerce are often shared in press releases or by investigating journalists. As your reputation is at stake, it is of utmost importance to keep your ecommerce website safe. Sometimes, even customers reach out to Sansec after they find strange transactions on their credit cards.
Secondly, the backdoors are the reason why stores keep getting reinfected if merchants remove the malicious code themselves.
To use a brick-and-mortar analogy, removing the malware without solving the vulnerability is like calling the cops on unwanted intruders but consistently refusing to lock the door.
Many websites find themselves reinfected within weeks or months, and stores typically have to clean up malware three to five times a year because they fail to take accurate measures to tackle the problem on their first attempt.
Thanks, this is great information. Honestly, the price is well worth it, more than I was miffed if it had been sitting there for 2 years after the last time. Will work to clean up the admin access and other updates this weekend, thank you for the detailed guide. Well done guys!
— Anonymous Merchant
Automating security for Magento and Adobe Commerce
Do you want to check whether your Magento or Adobe Commerce web store has been hacked? Or do you want to scan your ecommerce website for vulnerabilities in Magento, the installed extensions or in your configuration, to prevent an attack from succeeding? All Sansec’s research is combined in eComscan, the back-end malware and vulnerability scanner for Magento.
eComscan will give you actionable results, it will show you:
- the files the hacker has changed and now uses to spy on you and your customers (malware);
- if your software (Magento, Adobe Commerce, WooCommerce) contains vulnerabilities;
- if the extensions you use are up to date and/or contain vulnerabilities;
- hidden entrances (backdoors) hackers place to ensure their continued access;
- assess your configuration from a security perspective (Magento, Adobe Commerce, server setup).
eComscan is a 5-minute install and will safe you multiple hours per month, having to stay up to date about security news and attack vectors.