Last weekend there was a hacker attack affecting about 2000 Magento 1 stores. In this newsletter we explain what we know about it and what you can do to protect your store.We also take this opportunity to thank our partner sansec.io for their support in researching these attacks.

What happened?

We received the message that last weekend about 2000 Magento 1 stores were successfully hacked. The number of attacks is likely to be much higher.

What does it look like?

As soon as the attack became known, we immediately started researching the effects and the cause.

According to our research, the attack uses the “Magento Connect” section of Magento, also known as the downloader, to inject JavaScript code into the store that loads malware. 

Read more about malware at Wikipedia: https://en.wikipedia.org/wiki/Malware

What is “Magento Connect”?

The marketplace of Magento was formerly known as “Magento Connect”. In the store itself there is a page where you could install extensions in the store. You can find this area if you add /downloader to your store URL, e.g. https://my-mage-one-shop.example.org/downloader/

How do I know that my store has been attacked?

First you have the possibility to check if there has been an attack by searching the server log files for access to the download directory. These probably look like this: 

/downloader/index.php?A=connectInstallPackageUpload&maintenance=1&archive_type=0&backup_name=

If you have found such a line, please send us this excerpt from your log file.

How likely am I affected?

If you have blocked access to the downloader directory in your store or this directory does not exist in your store at all, you are safe.

sansec.io also published the list of TLDs, which are currently affected and hacked: 

872	.com
115	.uk
91	.nl
77	.de
69	.br
61	.it
42	.au
38	.net
34	.ro
34	.pl

How do I know that my store has been hacked?

When you are on the checkout page, open the source code of your page and search for the following term: mcdnn.net

To our knowledge, the injected JavaScript code looks something like this:

If you have found this or a similar code, please let us know as well.

What should I do if I find the Malware code?

Contact your agency or developer and ask them to find and remove this code immediately. You should also search for files that are not part of the Magento installation. In several of the hacked stores a mysql.php file was found in the root directory.

Be sure to inform customers who have placed orders since the weekend that their data is at risk.

What does this code do?

You can assume that malware code that was introduced into your store’s checkout is trying to intercept credit card data or other access data.

What can I do to protect my store?

You have two possibilities to protect your store.

1. protect the directory via the .htacess file

Open the .htaccess file that is located in the root folder of your Magento installation (where cron.sh and cron.php are located) and add the following line at the beginning

RedirectMatch 404 ^/downloader/.*$

2. delete the downloader directory

Remove the complete directory "downloader" , which is located in your root directory. You can delete it without hesitation. Since the Marketplace for Magento 1 has been switched off, the downloader can no longer be used for this purpose. Alternatively you can rename the directory, but a complete removal is much safer.

Will there be a patch?

We are still investigating the attacks and, if possible, we will release a patch within the next 30 days. You will be informed about this patch by e-mail. Nevertheless, we recommend that you take the measures described above before.

Patch MO-16

This patch adds PHP 7.3 compatibility. We highly encourage you to upgrade your PHP version to benefit from performance improvements.
 

Patch MO-17

This patch improves the clearing of session data with parallel logins.

You can download these patches in your customer account at https://my.mage-one.com/patches. Everything you need to know about the issue and how to install it is explained there.

FAQ

• How often will you release patches?
• I am an agency or partner and I don’t see the download in my customer account?
• Will there always be one patch per fix, or can more than one problem be fixed in one patch?

Magento 1 has stirred up the market of open source e-commerce systems and has become one of the most popular e-commerce systems in the world within a short time. For over a decade, small and large retailers have been relying on it.

Since Magento announced that it will discontinue official safety updates in June 2020 and no longer release updates for Magento 1, this means that hundreds of thousands of merchants will no longer have reliable software in the future.

Spoilt of choice
There are currently many alternatives to Magento 1. Depending on the size and complexity of the shop, there are various options available.

For many shop owners, this change is sudden and unexpected, despite the announcements and the one-time postponement of the support end of Magento 1.

In this situation it is important to stay calm and find new possibilities. A change from Magento 1 to Magento 2 is not a small update, but a time-consuming and costly process that requires rewriting and rethinking many parts of the system. Of course this also applies to other e-commerce systems such as shopware, as well as other frameworks and technologies.

The shop operator has to make an important technological decision. A change is costly, especially considering the time already invested in Magento 1, the employees that have already been trained and the corresponding budgets. In addition, an agency must be found that has the necessary resources and expertise. The decision has also been made more difficult by the launch of Shopware 6 in January 2020. With the release of Shopware 6, Shopware has guaranteed the support and further development of Shopware 5 for the next 5 years.

The right numbers support the decision
There are many factors that need to be taken into account in order to make an informed decision. However, this does not necessarily mean that an immediate change must be imminent. Mage One will offer security updates for Magento 1 from June 2020 onwards. The costs are based on the shop’s turnover and start at 29€ per month. In this case, an invoice can help with the decision making process.

Monthly costs for Mage One start at 29 €, with hopefully increasing shop sales the monthly costs will increase to 99 € in the next season.
In our example calculation we exceed this threshold in the third year. In our example, the total cost of providing security updates for the next 5 years is 4,260 €. If the Magento 1 Shop is not running in the latest version, the costs for upgrading Magento to the current 1.9.4.x must be added. With estimated (and version-dependent) costs of about 5.000€, exemplary costs of 9.260€ will be incurred over the period of 5 years in order to operate the web shop securely in the future.

These costs must be compared to the costs as well as the time and risk required for a relaunch. Assuming costs of approx. 15.000€ for a relaunch, Mage One can continue to operate the web shop at a lower price than a relaunch. The risk is also considerably reduced, because by switching to a new shop system, employees also have to be retrained and possibly new interfaces to third-party systems have to be adjusted or implemented.

Conclusion
By having Mage One provide security updates, such a major decision does not have to be made immediately. No matter if a timely change can no longer be realized, no decision has been made yet or no agency could be found. The temporary use of Mage One for 1 – 2 years offers shop operators enough time to make a well informed decision and to be able to devote the necessary amount of care to the relaunch.

This patch sends all cookies with a “secure” marker set. This results in sending the cookies solely via HTTPS.

You can download the patch in your customer account at https://my.mage-one.com/patches. Everything you need to know about the issue and how to install it is explained there.

FAQ

• How often will you release patches?
• I am an agency or partner and I don’t see the download in my customer account?
• Will there always be one patch per fix, or can more than one problem be fixed in one patch?

This patch prevents parallel logins for the same user account (session attack for backend and frontend).

You can download the patch in your customer account at https://my.mage-one.com/patches. Everything you need to know about the issue and how to install it is explained there.

FAQ

• How often will you release patches?
• I am an agency or partner and I don’t see the download in my customer account?
• Will there always be one patch per fix, or can more than one problem be fixed in one patch?

QPS

We are happy to announce that our QPS extension has been released. 

Our QPS (Quick Protection System) is a Magento extension which is installed in the shop, just like a common Magento extension and which acts as a firewall. 

The QPS Extension can, but does not have to be installed! You can find more information about this in your customer account at: https://my.mage-one.com under the menu item “Patches”. 

Patch MO-12

This patch improves PCI-DSS compliance by forcing login form to disable autocompletion.

You can download the patch in your customer account at https://my.mage-one.com/patches. Everything you need to know about the issue and how to install it is explained there.

What’s next

The patch for PHP 7.3 is in the testing phase and will be released soon. Other security vulnerabilities are currently being investigated. We will inform you as soon as the patches are available in your customer account.

Agency accounts

If you are an agency or freelancer, you will be able to view and download your customers’ patches in your account soon. This area is currently under development and we will inform you about workflow and more details as soon as it is completed.