Discovering that an eCommerce store has sent their credit card data to a malicious third party is the worst nightmare of many shoppers. They adopt an eminently sensible “once bitten, twice shy” attitude towards retailers who allow sensitive financial data to fall into the hands of criminals. Leaking credit card data is a great way to lose customers.
In a recent blog article, security company Sucuri discussed a typical credit card scraper attack against a Magento store. Malicious code was injected into the popular SF9 Realex Magento extension. The code was simple: it routed credit card data submitted by customers to the attacker’s email address.
The scraper’s presence was not the fault of the extension. It’s likely the attacker exploited an existing security vulnerability to gain access to the Magento installation.
The best way to avoid having your store infected with credit card scraper malware is to make it difficult for attackers to compromise it in the first place.
First, and most important, keep your Magento store up-to-date. Many eCommerce merchants take the view that if their site is working as intended, updating is more trouble than it’s worth. But updates aren’t just for new features. Updates contain patches that fix vulnerabilities. Once a patch has been released, it’s a good bet criminals know about the vulnerability.
I advise store owners to follow announcements on the Magento Security Center, which publishes details of security vulnerabilities and mitigation guidance.
Magento store owners should also be careful which extensions they install and where they come from. Malware is often found in extensions sourced from unverified locations. Using “pirate” versions of premium Magento extensions is a serious risk because they often include malware. Magento Connect implements strict checks to ensure that malicious software isn’t published.
Finally, store owners should ensure they follow password best practices. The web is teeming with brute force bots that love nothing more than an easily guessed password. Robust password policies that enforce long, random passwords for administrator accounts are essential.
To help you keep criminals out of your Magento installation, Nexcess developed two open source Magento extensions: Sentry and Alarmbell.
Alarmbell is a security extension that sends notifications whenever a new admin user is created. The creation of a new admin user without the knowledge of existing administrators is a key indicator that a Magento store has been compromised. Alarmbell will also log every change to admin accounts and failed admin login attempts.
Sentry is a two-factor authentication plugin for Magento. As I just mentioned, brute force attacks are a frequent cause of Magento stores being compromised. Sentry allows eCommerce merchants to integrate their store with Google Authenticator or Duo, making it practically impossible for brute force attacks to compromise a store.
These basic security precautions are not onerous or time-consuming, and if you consider the potential impact of a credit card scraper or other malware on your Magento store, they’re well worth the minimal time investment.