September 16, 2020 – Over this past weekend, starting on September 11, 2020, nearly 2000 online stores using the Magento platform were hacked. Hackers loaded a web skimmer – injected code on a site’s payment page – to record credit card numbers from customers. The hack, now known as CardBleed, used a vulnerability found in the Magento 1 platform. That version of the platform was announced End-Of-Life (EOL) last June, further complicating the issue as it is unlikely there will be an official patch forthcoming.
What Happened?
Beginning on Friday, September 11th, 2020, 10 stores still using the Magento 1.x platform were infected with the CardBleed attack. From there attacks escalated to 1,058 on Saturday with 603 additional sites infected on Sunday and another 233 on Monday.
The hack, using a common type of attack called a web skimmer, was placed on the site after hackers gained access to the Magento 1.x admin console through an automated script. With an automated attack, bad hackers can attack many sites at the same time before vulnerabilities are found and fixed. The last successful attack on Magento was also an automated attack in July of 2019 when 962 stores were breached in a single day.
It’s estimated that tens of thousands of customers were impacted by the breach.
How Did CardBleed Attackers Get Access?
In addition to its automated nature, the attack is able to inject malicious code into the underlying platform without the need for an admin account.
Although the exact attack vector is still under investigation, cyber-security firm Sanguine Security (Sansec) reported a recent posting offering a 0day exploit for sale. Magento’s parent company, Adobe, recently contracted with Sansec to integrate their database of malware signatures into the platform’s backend.
Who is at Risk From the CardBleed Magento Attack?
Online sellers at risk of this vulnerability are those who are still using the End-of-Life (EOL) version of the platform, Magento 1.x. Adobe ended support for all versions prior to 2.0 in June of 2020, so any patches forthcoming will be from 3rd party sources.
Unfortunately, despite the platform being EOL, there are still more than 95,000 stores still using Magento 1.x.
That number is considerably smaller than the 240,000 retailers who were using Magento 1x, or the 110,000 still using the platform on the EOL date. At least some of the retailers still running the unsupported version may be abandoned storefronts, or have minimal traffic and sales. Yet there are still a number of larger online stores using the unsupported and vulnerable version.
For those online retailers, the best way to protect themselves and their customers is with an upgrade to the fully supported versions of Magento – versions 2.0 and above.