Russian hacker selling how-to vid on exploiting unsupported Magento installations to skim credit card details for $5,000

Tuesday 15th September 2020 13:38 GMT wolfetone

"The best way to avoid such attacks is to migrate to Magento 2, a spokesperson from Sansec told El Reg."

You don't migrate from Magento 1 to Magento 2. You completely redevelop your website to use Magento 2, as there is no reliable way to migrate the data across from version 1 to version 2. That's potentially hundreds of thousands of products, orders etc, that have to be brought across some how without affecting audits etc.

Adobe though could not give a damn about that little issue, meaning retailers are at the mercy of web development agencies to do it for them. The costs are going to be eye watering.

I do not envy any retailer or solitary dev dealing with this at the moment. I really don't.

10 0 Reply
1. Tuesday 15th September 2020 14:44 GMT Lee D
  
  Rule #57 of deploying IT services:
  
  If the cost/time/effort of doing an upgrade is greater than starting all over again, start all over again but this time with a product that supports upgrades better.
  
  An upgrade should be just that - it shouldn't involve redevelopment of things. If going from v1 to v2 means everything you did on v1 is useless, then it's not v2. It's SomeOtherProduct v1.
  
  14 0 Reply
  1. Tuesday 15th September 2020 20:29 GMT MOH
    
    It's not so much an upgrade as a quite different product though
    
    1 0 Reply
2. Tuesday 15th September 2020 14:56 GMT Blackjack
  
  Adobe you say? At least Microsoft cares for backwards compatibility and migration.
  
  0 0 Reply
  1. Tuesday 15th September 2020 15:09 GMT Anonymous Coward
    
    While I have no love of Adobe, this time it's not their fault. These are technical decisions that go back years before Adobe bought the company. Ebay had a much bigger influence in the development of Magento 2 and it shows because the two versions are radically different under the hood.
    
    Anon because I'm such a dev who is dealing with this, and at the moment it pays the bills handsomely. Please don't judge me!
    
    7 0 Reply
    1. Tuesday 15th September 2020 19:04 GMT Blackjack
      
      They could still have offered a way to migrate, like a program that exports the database of 1 on a format that 2 can read. They definitely had more than enough time to do so. And even if the program to do so wasn't perfect, it would have helped a lot.
      
      1 0 Reply
      1. Wednesday 16th September 2020 02:05 GMT logicalextreme
        
        If you've ever had the misfortune to see a Magento database, you'll know why they haven't made a program to do that. It's EAV and custom columns and tables all the way down. Truly a database in name only.
        
        1 0 Reply
        
        Wednesday 16th September 2020 11:19 GMT wolfetone
        
        "If you've ever had the misfortune to see a Magento database, you'll know why they haven't made a program to do that. It's EAV and custom columns and tables all the way down. Truly a database in name only."
        
        COVID holds no fear for me, for I have seen and dealt with such a monstrosity as the Magento database.
        
        0 0 Reply
      2. Wednesday 16th September 2020 09:42 GMT Anonymous Coward
        
        Most data is migrated by Magento 2 automatically. But as the OP, wolfetone pointed out, it's unreliable. I've seen products carried over but not enabled, or enabled and purchasable, but missing options for colour/size/etc.
        
        1 0 Reply
3. Tuesday 15th September 2020 20:22 GMT Pascal Monett
  
  If you have to do all that work, you might as well migrate from Magento 1 to someone else who actually gives a frack about business continuity.
  
  4 0 Reply
  1. Wednesday 16th September 2020 13:13 GMT Blackjack
    
    The problem is selling that idea to people used to use something.
    
    Is why a lot of people keep using Microsoft Office when LibreOffice is free and in like half the cases they just need a word processor and a simple spreadsheet program.
    
    Back in the 90s I remember at least a few spreadsheet programs that were both easier to use and cheaper that Microsoft Excel but nooo... they wanted it on Excel. Then they added macros and you basically had to be a programmer to understand the advanced options and that plus the package deal, massive piracy and discounts is how the other programs disappeared.
    
    0 0 Reply
Tuesday 15th September 2020 13:45 GMT chivo243

Still on sale?

Or have the 10 orders been filled?

1 0 Reply
Tuesday 15th September 2020 14:05 GMT Pete 2

Plastic fantastic

> For $5,000, z3r0day will show you a video on how to exploit a security hole in the web software to inject the digital-skimming code into an e-commerce site's files so that the code is run when a customer goes to a payment page on the hijacked site.

Will they take a credit card for payment?

9 0 Reply
1. Wednesday 16th September 2020 12:16 GMT Beeblebrox
  
  Why a video?
  
  Give us clear instructions, and code snippets, with a few relevant images if necessary - we don't want a video!
  
  0 0 Reply
Tuesday 15th September 2020 20:25 GMT 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

All unsupported software should be released as open source, under a new pan-space-time "Right To Repair" law

1 0 Reply
1. Tuesday 15th September 2020 23:14 GMT tcmonkey
  
  Magento *is* open source. Or at least the community editions are.
  
  0 0 Reply
Tuesday 15th September 2020 20:29 GMT MOH

Are they selling the exploit on a Magento store?

2 0 Reply
1. Wednesday 16th September 2020 02:06 GMT logicalextreme
  
  It's not a particularly reliable way of making money so probably not.
  
  0 0 Reply