Hackers Exploiting Gullible Magento Site Administrators

Nexcess recently released a report of a Recent Exploit using Fake Magento Extensions was able to skim credit card information from affected Magento websites. While it seems that some of the stores were breached by correctly guessing simple admin usernames and passwords, others seemed to be the result of site administrators installing Magento Extensions that included backdoors that gave the hackers remote access to the website. Once the backdoor was installed, the hackers went on to modify core Magento files, ensuring that when a credit card order was placed, the credit card information would be saved to a text file that was hidden with an image file name extension .jpg, .gif, .bmp and saved in the /media directory, allowing the hackers, and anyone else on the internet to download the credit card information.

There may be many variations of these affected Magento Extensions in the wild, not just the ones mentioned here. Also, before you install any Magento Extension on your website that processes credit card transactions, you should perform a code review on the extension and be on the lookout for any suspicious code changes. Be aware that a quality Magento Extension will never directly modify core Magento files, but will instead override the classes within the extension’s own directory.

The Magento Extention names that are known to be affected include:

  1. Unigry GiftCert

  2. RetailTower Feed_Manager

  3. Unirgy Instaler

Note: Even though Unigry and RetailTower’s names are used on these extensions, they have nothing to do with the exploit. Their names are simply being used as a way to hide malicious code in a real extension’s name.

Tags:
comments powered by Disqus

Related Posts

Saving Products in Magento Deletes Tier Pricing

Magento’s framework makes many things simple to accomplish when working with the products and categories of your eCommerce website. However, I have found one scenario that doesn’t exactly work as expected. Tier Pricing in Magento Magento allows you to setup custom pricing levels based upon the quantity purchased. You set the minimum quantity purchased to enable the lower price when the part is added to the customer’s cart. You could see where losing the tiered pricing for an entire catalog of products would be a big deal for a site.

Read More

Magento Version 2, is it just Microsoft Windows Longhorn AKA Vista?

Magento version 2 was first introduced in 2010. It is now almost halfway through 2014, and the public has not seen any alpha or beta release of Magento version 2 as of yet. The new version of Magento promised to replace PrototypeJS and Scriptaculus with jQuery as well as reorganize the database schema to remove the slow EAV tables and migrate to a bit of a flatter table structure. However, it seems that the latest updates on the direction for Magento 2 show that the database schema will not be changed much after all.

Read More

Optimizing Website Load Time

Assuming you have already done a few things to improve the page load time of your website, such as using a Varnish caching server, GZipping your content in transit, minifying that same content, and turning on all caching options that Magento or your web platform of choice have available, there is still more you can do. When it comes to website performance, the 80/20 rule definitely applies. 80% of the performance tweaks that you perform will only provide a miniscule improvement to the site load time, while the 20% of things you do make a big difference.

Read More