back to article Badmins: Magento shops brute-forced to scrape card deets and install cryptominers

Hackers have compromised hundreds of e-commerce sites running the popular open-source Magento platform to scrape credit card numbers and install crypto-mining malware. The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials, threat intel firm Flashpoint has warned …

  1. Pascal Monett Silver badge

    "Not changing the default credentials" . .

    . . means you shouldn't have it in the first place.

    Harsh, I know, but you set up something to deal with other people's money, so the least you can do is ask around to find out what are the risks and how to mitigate them. Even if it's just contacting support, or Googling the product. Do something for Pete's sake.

    1. Stuart Halliday

      Re: "Not changing the default credentials" . .

      You're not talking about the Human Race sadly. People take the easy path.

      If that leads to mud and shite, then they really don't care or know about it to avoid.

      Time to put some obstacles in their path and explain why they're there.

      Far too much open source software makes the absurd assumption the user knows what they're doing.

      Remember when Routers first became available? They were shipped with no security set as it was assumed professionals were going to use them.

      The Public got a shock and manufacturers had to ship them with the security turned on.

  2. Milton

    " ... firms in the education and healthcare industries ..."

    "Most of the victims among the 1,000 compromised panels belong to firms in the education and healthcare industries, largely in the US and Europe."

    Curious that those specific industries are affected—but I wonder if that means they are customers of webmasters who specialise in boilerplating eCommerce sites for those industries? If that were so, it would imply that one or a few web design outfits have not only been stamping out cookie-cutter Magento sites for those industries, they've been including cookie-cutter mistakes too. Perhaps they were so busy massaging CSS to convince their latest client that he's paid lots of good money for a beautiful, finely-crafted shopping cart, that they forgot to do some basic security checks?

    1. Anonymous Coward
      Anonymous Coward

      Re: " ... firms in the education and healthcare industries ..."

      "Curious that those specific industries are affected"

      I am not. Have you seen those industries?

      Nothing wrong with their intelligence. But someone studying a tree under an electron microscope, may fail to see the forest is on fire!

  3. Stuart Halliday

    Why do they even come with default login details?

    Bizarre.

    1. Anne-Lise Pasch

      This. A thousand times this. Even worse are Dev houses that take customer databases and then *reset the default passwords* for support, then mount them on internet-facing staging environments. GDPR can't come soon enough to leverage business-case support to fix this mess.

    2. phuzz Silver badge
      Facepalm

      There's plenty of software which insists that you create a new password for it's admin/root account when you install it. This should be standard practice for anything that has it's own login system.

      Of course then we just have to deal with the idiots who use "password" or "1234", but it's a start.

  4. SVV Silver badge

    Brute forced?

    Not at all. They simply used the same set of keys that everybody gets and then opened the door and strolled in.

    I suppose when you market an "easy to use out of the box" commerce site building tool, then some people may think they need to just follow the instructions given and that'll be all they need to do, In which case Magento should have been a lot more thorough on the documentation for installation and configuration with big warning sign sections on vital steps such as this.

    However, when you're getting to the level of taking online payments using such a product, it SHOULD go without saying that you shouldn't really be doing that sort of stuff without getting it thoroughly checked over by a security expert. And I mean an expert with a solid track record, not a "my mate Gary who knows a bit about computers". Wonder who's going to end up liable for the stolen money? I sispect the card issuers might not be looking too fondly at this product right now.....

    1. FatGerman

      Re: Brute forced?

      >> However, when you're getting to the level of taking online payments using such a product, it SHOULD go without saying that you shouldn't really be doing that sort of stuff without getting it thoroughly checked over by a security expert.

      It might go without saying to somebody who knows what they're doing, but plugin do-it-all-out-of-the-box systems like Magento are not aimed at people who know what they're doing. The likelihood is that people install it without knowing there is such a thing as security, or simply assuming that this is a professional thing written by professionals and therefore should already be secure. Personally I do know what I'm doing and I would still expect the latter, because what kind of complete numpty ships an insecure e-commerce package?

  5. Stevie Silver badge

    Bah!

    Comes to summat when sending the payment details over unencrypted email is safer than using a proper e-commerce payment portal.

  6. LeahroyNake Silver badge

    Several K

    I have seen and end up managing e-commerce sites that cost several thousand pounds to deploy. Zencart being the most prevalent and my personal fave. One of the first things it advises is to change the default login details and more importantly the path to the admin pages. All of them used the default /administrator or /admin.

    I give up.

    1. LeahroyNake Silver badge

      Re: Several K

      Also where has the exit option gone ?

      I was going to add that the admin link is the second thing I change, really winds up the developer when I use /johnsnow lol

    2. Rabbit80

      Re: Several K

      I use Prestashop - which insists on setting a username, password and changing the /admin path upon installation!

  7. Jay Lenovo

    Internet of Unsecured Things

    Thankfully paid credit monitoring services such as from Experian or Equifax can help protect you from the resulting theft and fraud.

    Until you realize they've leaked and mangled their own customer information like the Exxon Valdez.

  8. Anonymous Coward
    Anonymous Coward

    Pure neglegence allowing hackers to succeed

    Admins should be held accountable for their negligence fur chrissake.

  9. JakeMS
    Mushroom

    Makes us all look bad..

    This sort of thing makes all of us small independent e-commerce stores look incompetent and insecure.

    While I don't use Magento it still bugs me when things like this are happening due to sheer admin incompetence.

    The thing is, stuff like this can only cause customers become concerned and end up believing that all small e-commerce sites are insecure or hacked (even when they are not).

    Frankly any e-commerce website which cannot do something so simple as change a password should be named, shamed and shut down because they give us all a bad reputation.

    There are plenty of properly configured, properly secured e-commerce sites but people won't see that when they read headlines such as these due to incompetent admins.

    /sorry, just needed a quick rant

  10. mikesheen

    Something doesn't seem quite right here.

    I installed Magento 2 about 3 weeks ago and the instructions I followed I had to nominate an Admin username and password - so there was no "default" credentials.

    1. wolfetone

      "I installed Magento 2 about 3 weeks ago and the instructions I followed I had to nominate an Admin username and password - so there was no "default" credentials."

      Thing is a lot of people still using Magento 1.x, as there's no proper way to "upgrade" to Magento 2. You have to migrate, and this is problematic if your store isn't a standard installation of Magento.

      There are still people rocking Magento 1.4, because they're too tight to pay to get the work done to bring it to 1.9.

  11. Lucasjkr

    Default passwords?

    Does Magento have default passwords? I'm doubting it. Opencart, doesn't, but it's mentioned here too. More the problem is that people are using stupid passwords when they set up their sites. "admin/admin" or "admin/password". It doesn't take a rocket scientist to figure that out.

    But unless somethings completely wrong with Magento, it doesn't seem fair to throw them under the bus. It's the site owner and possibly their developer that are leaving these sites wide open for being hacked.

    Worse, is that many of these sites are deployed on shared servers. Which means that because default security, anyone with a hosting account on one can go on to read the files in every other accounts home directory. Including, database credentials! At that point it's game over

    Opencart USED to use a combination of MD5/SHA1 that would be easy to brute force. In Opencart 3, it moved to Bcrypt (I was responsible for the pull request). A trip to Github says that Magento still uses MD5 or SHA256 for its password hashes. This doesn't do anything for the security of the server itself, it only helps protect passwords from being guessed offline.

    Really, there's too much money at stake. I'd be surprised if credit card processors allow customers to connect from shared servers for much longer.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020