E-COMMERCE PLATFORM TARGETED, PAYMENT INFO AT RISK
Last year the popular e-commerce platform Magento was impacted by a critical vulnerability. Initially discovered by Check Point security researchers, the vulnerability was privately disclosed to Magento’s owner, eBay. Magento patched the flaw but merchants were slow to adopt the patch and resolve the problem. Two months after the patch was released, 98,000 online merchants had not implemented it.
As reported by Sucuri's Denis Sinegubko, the platform continues to be a popular target for cybercriminals today. “During the last year we described quite a few Magento attacks that steal customer credit cards. While most of them target the app/code/core/Mage/Payment/Model/Method/Cc.php it’s not the only file that you should be watching.” He goes on to describe a form of malware that injects itself into the platform, “checks if the function data contains credit card number and sends it to” the cybercriminal’s server.
According to Magento's website, over 240,000 online merchants use their e-commerce software. Popular brands have used the platform for online merchant services including Nike, North Face, and Nordstrom. Last fall a number of websites running the e-commerce platform were compromised and used to spread the Neutrino Exploit Kit, a malicious program which detects and exploits vulnerabilities in the software installed on users’ machines. As Sinegubko writes, “With about 30% of the market share, Magento is gradually becoming a “WordPress” of the ecommerce world. Like WordPress, it becomes a major target for hackers due to its popularity.”