Vulnerabilities in eCommerce platforms make for holiday season risks [Q&A]

As we head towards a COVID Christmas it's likely that many more people will be doing their holiday shopping online.

But while this is good news for online retailers it's also an opportunity for fraudsters. This year has already seen a surge in attacks on eCommerce sites and there are certain to be more to come. We spoke to Satnam Narang, staff research engineer at Tenable to find out more about the latest vulnerabilities and how businesses can protect themselves.

BN: Why is eCommerce such an attractive target for cybercriminals?

SN: Payment card information is extremely valuable to cybercriminals. Rather than focusing their efforts on individuals through phishing attacks, high volume activity presents the perfect opportunity for cybercriminals to take advantage on a broader scale. We've seen patterns such as this time and time again with popular social media apps and events like Amazon Prime Day. Thanks to the pandemic, consumers spent $211.5B on e-commerce sites in Q2, an increase of more than 30 percent since the pandemic began, and these numbers are anticipated to rise this holiday season, as 40 percent of Americans plan to exclusively shop online this holiday season. This holiday season is shaping up to be even more scam-heavy than normal.

Vulnerabilities impacting eCommerce sites pose a significant challenge. For instance, researchers have reported on multiple occasions a severe flaw in a WooCommerce plugin that is used by 40,000 websites. In early September, researchers identified an active campaign that impacted 2,000 websites using Magento. Magecart is a popular payment card skimming tool that is injected into eCommerce websites to siphon off payment card deals as users attempt to check out. Magecart attacks will remain problematic, especially since Magento 1 reached end of life in June of this year, leaving thousands of websites vulnerable to attacks.

BN: Can you tell us a bit about the Magento flaw that you recently helped to uncover?

SN: Tenable Research discovered two vulnerabilities in the MAGMI Magento plugin, the open-source e-commerce platform acquired by Adobe. Magento has been an increasingly popular target for bad actors, as the FBI spotted attackers exploiting a three-year-old vulnerability in the same plugin in May.

The first flaw was an authentication bypass vulnerability that could allow for remote code execution. During testing, Tenable successfully performed a DoS attack by sending a large number of connection requests at the same time, forcing the database connection to fail. Once the connection fails, there is a window of opportunity where an attacker can utilize default credentials to login..

The second vulnerability, which has not been patched yet, is a cross-site request forgery vulnerability that could allow an attacker to trick a Magento administrator into clicking on a link while authenticated. Clicking on the link could allow a bad actor to hijack the administrator’s sessions and execute arbitrary code on the server.

BN: Are these frauds becoming more sophisticated?

SN: The sophistication isn't within the attacks themselves, but their tactics are clever. Researchers at Malwarebytes have observed Magecart groups using Homoglyph attacks, which involves using characters that look similar to others as part of the domain names. The scripts injected into eCommerce websites will look the same to the naked eye but upon further inspection, reveal the use of Homoglyphs. For example, swapping in the character l in place of the letter i.

Earlier this summer, researchers at Sansec uncovered a Magecart attack against Claires, a popular fashion retailer. The attackers registered a domain name 'claires-assets.com' so when the payment card information was sent back to their server, it wouldn't raise as many suspicions.

BN: How can eCommerce businesses keep themselves safe in the run up to the holiday season?

SN: It starts with making sure you are running an eCommerce solution that is fully patched and still receiving security updates. From there, it is about auditing any plugins or third party integrations you have implemented in your website to ensure they are patched. Additionally, implementing web security measures such as content security policy is a proactive way eCommerce site operators can better protect themselves against potential attacks.

Photo Credit: Nonnakrit/Shutterstock