Russian hacker selling how-to vid on exploiting unsupported Magento installations to skim credit card details for $5,000

Tuesday 15th September 2020 13:38 GMT wolfetone

"The best way to avoid such attacks is to migrate to Magento 2, a spokesperson from Sansec told El Reg."

You don't migrate from Magento 1 to Magento 2. You completely redevelop your website to use Magento 2, as there is no reliable way to migrate the data across from version 1 to version 2. That's potentially hundreds of thousands of products, orders etc, that have to be brought across some how without affecting audits etc.

Adobe though could not give a damn about that little issue, meaning retailers are at the mercy of web development agencies to do it for them. The costs are going to be eye watering.

I do not envy any retailer or solitary dev dealing with this at the moment. I really don't.

10 0 Reply
1. Tuesday 15th September 2020 14:44 GMT Lee D
  
  Rule #57 of deploying IT services:
  
  If the cost/time/effort of doing an upgrade is greater than starting all over again, start all over again but this time with a product that supports upgrades better.
  
  An upgrade should be just that - it shouldn't involve redevelopment of things. If going from v1 to v2 means everything you did on v1 is useless, then it's not v2. It's SomeOtherProduct v1.
  
  14 0 Reply
  1. Tuesday 15th September 2020 20:29 GMT MOH
    
    It's not so much an upgrade as a quite different product though
    
    1 0 Reply
2. Tuesday 15th September 2020 14:56 GMT Blackjack
  
  Adobe you say? At least Microsoft cares for backwards compatibility and migration.
  
  0 0 Reply
  1. Tuesday 15th September 2020 15:09 GMT Anonymous Coward
    
    While I have no love of Adobe, this time it's not their fault. These are technical decisions that go back years before Adobe bought the company. Ebay had a much bigger influence in the development of Magento 2 and it shows because the two versions are radically different under the hood.
    
    Anon because I'm such a dev who is dealing with this, and at the moment it pays the bills handsomely. Please don't judge me!
    
    7 0 Reply
    1. Tuesday 15th September 2020 19:04 GMT Blackjack
      
      They could still have offered a way to migrate, like a program that exports the database of 1 on a format that 2 can read. They definitely had more than enough time to do so. And even if the program to do so wasn't perfect, it would have helped a lot.
      
      1 0 Reply
      1. Wednesday 16th September 2020 02:05 GMT logicalextreme
        
        If you've ever had the misfortune to see a Magento database, you'll know why they haven't made a program to do that. It's EAV and custom columns and tables all the way down. Truly a database in name only.
        
        1 0 Reply
        
        Wednesday 16th September 2020 11:19 GMT wolfetone
        
        "If you've ever had the misfortune to see a Magento database, you'll know why they haven't made a program to do that. It's EAV and custom columns and tables all the way down. Truly a database in name only."
        
        COVID holds no fear for me, for I have seen and dealt with such a monstrosity as the Magento database.
        
        0 0 Reply
      2. Wednesday 16th September 2020 09:42 GMT Anonymous Coward
        
        Most data is migrated by Magento 2 automatically. But as the OP, wolfetone pointed out, it's unreliable. I've seen products carried over but not enabled, or enabled and purchasable, but missing options for colour/size/etc.
        
        1 0 Reply
3. Tuesday 15th September 2020 20:22 GMT Pascal Monett
  
  If you have to do all that work, you might as well migrate from Magento 1 to someone else who actually gives a frack about business continuity.
  
  4 0 Reply
  1. Wednesday 16th September 2020 13:13 GMT Blackjack
    
    The problem is selling that idea to people used to use something.
    
    Is why a lot of people keep using Microsoft Office when LibreOffice is free and in like half the cases they just need a word processor and a simple spreadsheet program.
    
    Back in the 90s I remember at least a few spreadsheet programs that were both easier to use and cheaper that Microsoft Excel but nooo... they wanted it on Excel. Then they added macros and you basically had to be a programmer to understand the advanced options and that plus the package deal, massive piracy and discounts is how the other programs disappeared.
    
    0 0 Reply
Tuesday 15th September 2020 13:45 GMT chivo243

Still on sale?

Or have the 10 orders been filled?

1 0 Reply
Tuesday 15th September 2020 14:05 GMT Pete 2

Plastic fantastic

> For $5,000, z3r0day will show you a video on how to exploit a security hole in the web software to inject the digital-skimming code into an e-commerce site's files so that the code is run when a customer goes to a payment page on the hijacked site.

Will they take a credit card for payment?

9 0 Reply
1. Wednesday 16th September 2020 12:16 GMT Beeblebrox
  
  Why a video?
  
  Give us clear instructions, and code snippets, with a few relevant images if necessary - we don't want a video!
  
  0 0 Reply
Tuesday 15th September 2020 20:25 GMT 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

All unsupported software should be released as open source, under a new pan-space-time "Right To Repair" law

1 0 Reply
1. Tuesday 15th September 2020 23:14 GMT tcmonkey
  
  Magento *is* open source. Or at least the community editions are.
  
  0 0 Reply
Tuesday 15th September 2020 20:29 GMT MOH

Are they selling the exploit on a Magento store?

2 0 Reply
1. Wednesday 16th September 2020 02:06 GMT logicalextreme
  
  It's not a particularly reliable way of making money so probably not.
  
  0 0 Reply

ServiceNow founder Fred Luddy sells $13.2m stake in 'defining enterprise software company of the 21st century'

.uk registry operator Nominet responds to renewed criticism – by silencing its critics

Pst... Is that the sound of your Outlook backups leaking?

Huawei chairman says tech giant's goal is ‘survival’ as it battles ‘non-stop aggression’

Frames per second? Windows Terminal brings back text animation with the VT100 blink

One does not simply walk into supply chain software – but Microsoft is giving it a shot

Microsoft's OS joins macOS and Linux at the Flutter party, but guess which one performs best? Hint: It's not Windows

Swift tailored for Windows no longer folklore: Apple's programming language available for Microsoft OS

Four ex-eBay staffers to plead guilty after cyberstalking critics of online tat bazaar's management

Doppelpaymer ransomware crew fingered over attack on German hospital that allegedly caused death of a patient

Microsoft leaks 6.5TB in Bing search data via unsecured Elastic server. *Insert 'Wow... that much?' joke here*

Proposed US fix for Boeing 737 Max software woes does not address Ethiopian crash scenario, UK pilot union warns

Microservices guru says think serverless, not Kubernetes: You don't want to manage 'a towering edifice of stuff'

Imagine working for GitHub and writing a command-line interface for the platform, then GitHub makes an 'official' one

Anglian Water fishes for on-trend laundry list – including low-code work – in £24m trawl

You can add comms API merchant Twilio to the list of tech firms that have seen biz booming thanks to lockdown

UK Ministry of Justice dangles £20m, seeks paper-free payroll services – this time for the judiciary

Ports in a storm: The Matebook 14 won't set your world on fire, but it's still a half-decent laptop

Oracle Zooms past rivals to run TikTok’s cloud, take stake alongside WalMart and ByteDance investors

It's IPO week and one of Wall Street's own is raising the spectre of a stock market crash

It's the year of Linux on the... ThinkPad as Lenovo extends out-of-the-box Ubuntu support to nearly 30 machines

Nokia rolls out midrange 5G mobile, but will struggle to fight off Motorola and pals. Plus: New platform for suits with bulk-ordered SIMs

Samsung throws more frugal followers a bone* with cheaper Galaxy S20 Fanboi Fan Edition

Tesla to build cars made of batteries and hit $25k price tag about three years down the road

Moonshot: Making spaceships with Microsoft's refreshed HoloLens 2 nerd goggles

And now for something completely different: Ultraviolet aurora spotted around comet for first time

To bring data down from the heavens, come to GSaaS, says Microsoft as it launches Azure Orbital

SpaceX scuppered by weather once more as skygazers win a Starlink reprieve

China sets out world domination plan for its digital currency

Get ready for Clippy 9000: Microsoft exclusively licenses OpenAI's mega-brain GPT-3 for anything and everything

Humans suck so much at beating this pandemic that Microsoft has made an AI to enforce social distancing

UK govt urged to bolt tough legal protections onto Arm and protect jobs – or simply veto Nvidia's £31bn acquisition

Onwards! To the airport and adventure! And this rather lachrymose Linux screen

Space. The final frontier. These are the voyages of 'Advanced Night Repair' skin cream helping NASA to commercialise space

Behold the Bloo Screen of Death: Bathroom borkage stops spray play

As we stand on the precipice of science fiction into science fact, people say: Hell yeah, I want to augment my eyesight!

User topics

Article topics

User topics

Article topics

COMMENTS

Still on sale?

Plastic fantastic

Why a video?

POST COMMENT House rules

Enter your comment

Add an icon

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

SIGN UP TO OUR DAILY NEWSLETTER

Microsoft leaks 6.5TB in Bing search data via unsecured Elastic server. Insert 'Wow... that much?' joke here