A security company says fake or compromised modules can expose payment and confidential information to cybercriminals.

Foregenix, an information security company based in the United Kingdom, says that e-commerce companies using Magento may have unintentionally installed compromised or fake extensions that can leave businesses open to attack.

Foregenix says the discovery does not highlight weaknesses or vulnerabilities in the Magento software itself, but rather from users installing modules provided by companies that develop add-ons to the widely used Magento e-commerce software. Those affected modules remain on the site and open it up to attacks. The modules allow cybercriminals to access the impacted site and make system modifications to obtain payment card details, as well as other confidential information belonging to both consumers and the compromised businesses.

“As one of the most popular e-commerce platforms, Magento is an obvious target for attackers,” says director of Foregenix, Andrew Bontoft. “Magento users should maintain vigilance when selecting and installing modules to their site; specifically, making sure that they are deploying code from legitimate and trusted sources.”

Magento says it is not aware of any security weaknesses. “Magento has found no evidence, and has not been provided with any evidence by merchants or solutions partners of compromised or fake extensions resulting in platform vulnerabilities,” says Paul Boisvert, director of product management. “Each recorded instance of malicious code has been the result of exploitation of weak passwords–not compromised extensions. Magento takes security very seriously and provides administrative logging of all actions to assist merchants in discovering invalid actions.”

Magento is the e-commerce platform used by 34 e-retailers in the Internet Retailer Top 500 and 64 e-retailers in the Second 500 Guide.

advertisement

Foregenix says this latest attack illustrates the increasing sophistication of malware attacks. “This highlights the increasing threat of cybercrime for businesses in the U.K. and across the globe,” says Benjamin Hosack, director of Foregenix. “Hackers are increasingly finding ways to find flaws in online platforms, payment portals and data gateways, so businesses need to be aware of the threat and put in place solutions to protect themselves and their customers.”

Foregenix has set up a web site that includes a free scan for businesses to check if their web sites have been affected by any of the suspect modules. 

Favorite