Sign in / up

back to article Russian hacker selling how-to vid on exploiting unsupported Magento installations to skim credit card details for $5,000

Thousands of e-commerce stores built using Magento 1 have been poisoned with malicious code that steals customers' bank card information as they enter their details to order stuff online. Sansec, a software company focused on these so-called "digital skimming" attacks, discovered that 1,904 cyber-shops had been altered by …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. wolfetone Silver badge

    "The best way to avoid such attacks is to migrate to Magento 2, a spokesperson from Sansec told El Reg."

    You don't migrate from Magento 1 to Magento 2. You completely redevelop your website to use Magento 2, as there is no reliable way to migrate the data across from version 1 to version 2. That's potentially hundreds of thousands of products, orders etc, that have to be brought across some how without affecting audits etc.

    Adobe though could not give a damn about that little issue, meaning retailers are at the mercy of web development agencies to do it for them. The costs are going to be eye watering.

    I do not envy any retailer or solitary dev dealing with this at the moment. I really don't.

    10 0 Reply
    1. Lee D Silver badge
      Reply Icon

      Rule #57 of deploying IT services:

      If the cost/time/effort of doing an upgrade is greater than starting all over again, start all over again but this time with a product that supports upgrades better.

      An upgrade should be just that - it shouldn't involve redevelopment of things. If going from v1 to v2 means everything you did on v1 is useless, then it's not v2. It's SomeOtherProduct v1.

      14 0 Reply
      1. MOH
        Reply Icon

        It's not so much an upgrade as a quite different product though

        1 0 Reply
    2. Blackjack Silver badge
      Reply Icon

      Adobe you say? At least Microsoft cares for backwards compatibility and migration.

      0 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        While I have no love of Adobe, this time it's not their fault. These are technical decisions that go back years before Adobe bought the company. Ebay had a much bigger influence in the development of Magento 2 and it shows because the two versions are radically different under the hood.

        Anon because I'm such a dev who is dealing with this, and at the moment it pays the bills handsomely. Please don't judge me!

        7 0 Reply
        1. Blackjack Silver badge
          Reply Icon

          They could still have offered a way to migrate, like a program that exports the database of 1 on a format that 2 can read. They definitely had more than enough time to do so. And even if the program to do so wasn't perfect, it would have helped a lot.

          1 0 Reply
          1. logicalextreme
            Reply Icon

            If you've ever had the misfortune to see a Magento database, you'll know why they haven't made a program to do that. It's EAV and custom columns and tables all the way down. Truly a database in name only.

            1 0 Reply
            1. wolfetone Silver badge
              Reply Icon

              "If you've ever had the misfortune to see a Magento database, you'll know why they haven't made a program to do that. It's EAV and custom columns and tables all the way down. Truly a database in name only."

              COVID holds no fear for me, for I have seen and dealt with such a monstrosity as the Magento database.

              0 0 Reply
          2. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Most data is migrated by Magento 2 automatically. But as the OP, wolfetone pointed out, it's unreliable. I've seen products carried over but not enabled, or enabled and purchasable, but missing options for colour/size/etc.

            1 0 Reply
    3. Pascal Monett Silver badge
      Reply Icon

      If you have to do all that work, you might as well migrate from Magento 1 to someone else who actually gives a frack about business continuity.

      4 0 Reply
      1. Blackjack Silver badge
        Reply Icon

        The problem is selling that idea to people used to use something.

        Is why a lot of people keep using Microsoft Office when LibreOffice is free and in like half the cases they just need a word processor and a simple spreadsheet program.

        Back in the 90s I remember at least a few spreadsheet programs that were both easier to use and cheaper that Microsoft Excel but nooo... they wanted it on Excel. Then they added macros and you basically had to be a programmer to understand the advanced options and that plus the package deal, massive piracy and discounts is how the other programs disappeared.

        0 0 Reply
  2. chivo243 Silver badge

    Still on sale?

    Or have the 10 orders been filled?

    1 0 Reply
  3. Pete 2 Silver badge

    Plastic fantastic

    > For $5,000, z3r0day will show you a video on how to exploit a security hole in the web software to inject the digital-skimming code into an e-commerce site's files so that the code is run when a customer goes to a payment page on the hijacked site.

    Will they take a credit card for payment?

    9 0 Reply
    1. Beeblebrox
      Reply Icon

      Why a video?

      Give us clear instructions, and code snippets, with a few relevant images if necessary - we don't want a video!

      0 0 Reply
  4. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    All unsupported software should be released as open source, under a new pan-space-time "Right To Repair" law

    1 0 Reply
    1. tcmonkey
      Reply Icon
      WTF?

      Magento *is* open source. Or at least the community editions are.

      0 0 Reply
  5. MOH

    Are they selling the exploit on a Magento store?

    2 0 Reply
    1. logicalextreme
      Reply Icon

      It's not a particularly reliable way of making money so probably not.

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like