Magento confirmed to Internet Retailer yesterday that its e-commerce platform suffered a malware attack that impacted around 5,000 of its Magento Open Source users.
A spokeswoman for Magento said the sites were infected with MagentoCore skimming malware that is designed to uncover simple passwords. MagentoCore is a malicious payment card data-stealing script that was designed to compromise websites that run on the Magento e-commerce platform.
“One of the most common ways a site can be compromised is by brute force attacks, which work by exploiting common or default passwords,” the spokeswoman said.
Magento ranks No. 1 among e-commerce platform providers to the Internet Retailer Top 1000 with 167 Top 1000 retailers using Magento for their e-commerce platforms.
“Nearly all of the sites we’ve identified as being infected with the MagentoCore malware signature are missing patches and/or running on an outdated version,” the spokeswoman said.
Magento is an open-source platform, which means it allows web developers to create and share their own custom features or tweak the existing ones themselves because it offers access to underlying source code.
There is no evidence that any Magento Enterprise customers were impacted, Magento says. Magento Enterprise is the platform’s fee-based offering. “We’re committed to ensuring the security of our customers and encourage all merchants to stay up to date on security patches,” the spokeswoman said. “Merchants should sign up for the Magento Security Scan Tool and schedule regular scans of all of their domains. This free tool allows merchants to monitor their sites for security risks, [including vulnerability] to brute force attacks. The Security Scan Tool also monitors for malware,” the spokeswoman said.
Magento launched the latest version of its platform, Magento 2, in 2015. Consumers can pay for Magento 2 for more features and help or access the free edition called Magento Open Source. Magento added a cloud-based offering for Magento 2—Magento Commerce Cloud—in April 2016. Retailers must use the fee-based version of Magento 2 to get the cloud-based offering, which allows retailers to access Magento software hosted on the web by the vendor.
In an interview late last year, Peter Sheldon, vice president of strategy at Magento Commerce, said most new Magento clients choose the cloud-based version of Magento and the percentage of clients who choose that version, which is hosted using Amazon Web Services, is “rapidly ticking up.”
As of late 2017, about 20,000 customers were using Magento 2, split between about 2,000 using the paid version and 18,000 using the free version. “There is a still a sizable base of live Magento 1 merchants [the original version of Magento]; however, there is now a very rapid migration flow from Magento 1 to Magento 2,” Sheldon said.
Adobe Systems Inc. bought Magento in June 2018 for $1.68 billion.