A Magento store may seem like it has not been compromised, because orders are coming in and everything looks normal. However, under the surface there could be malicious code that’s designed to grab all of the data from every form field on the site.
Most scraper hacks in Magento are effective because they’re typically buried deep within a site’s file system and may go unnoticed for long periods of time.
If your storefront is compromised, then every piece of data that has been entered may be on its way to someone intending to steal it. Most scraper hacks will use e-mail to receive the stolen form data or save it in sneaky places like your media folder for easy access later.
Hackers will often obfuscate their code to make it as unreadable as possible while still retaining the ability to execute. A hack could appear to be a nonsense jumble of code. To the untrained eye, a hack may even seem like it’s supposed to be there.
Example of a hack designed to scrape form data
One common hack is placed in Magento’s AccountController.php or OnepageController.php. In these locations, the customer’s data can be grabbed in plain-text before it is sent to the secure credit card processor. All of the information needed to authorize a credit card transaction on a customer’s card could be in the hacker’s hands before the customer even gets to the checkout confirmation screen.
Security scans often miss these types of scrapers because the malicious code performs normal functions like processing $_POST fields and sending e-mail.
The good news is that there are ways to minimize a hacker’s ability to compromise a site in the first place by following a few simple practices.
The best place to host your Magento site is with a Magento Hosting Partner.
One of the biggest mistakes I’ve seen companies make is selecting the most inexpensive web host they can find. Think of your host as the physical storefront where your store is located. Would you want to keep all of your inventory in a building without an alarm system or that has a broken front door? Cheap web hosting is fine for personal blogs or sites that don’t contain sensitive information.
Work with your web host to ensure that the file owners and permissions are set correctly. Magento also has guidelines for how this should be set up.
SSL (Secure Sockets Layer) is the standard security technology for encrypting data that is transmitted from the web host to a browser. All Magento storefronts should use SSL to protect the customer’s data. SSL Certificates can be purchased from numerous companies and can easily be installed by your web host.
If your web host has an off-site backup plan for your files and database, then use it. Ensure that your data is safely backed up on regular basis with at least a two week retention policy. With this in place your site can be restored to any point within the previous two weeks. If you don’t have a backup of everything, then it’s possible that your site could be lost forever for any number of reasons.
There’s a Magento extension for just about any feature imaginable but don’t get carried away when installing them! If you’re technically inclined, then carefully review every file of a new extension before installing it. If not, then reach out to professionals to help evaluate it. Don’t install anything unless it comes from a trusted source, or you could end up adding a vulnerability to your site.
You must install any new patches from Magento as soon as possible. These patches are released to address a bug or security problem that Magento has fixed.
If you have third-party extensions installed then verify that you are running the most up-to-date versions to keep your site safe.
Use Magereport.com to evaluate your site for missing patches and other security problems. Follow the advice that is recommended after your site analysis is complete. The people at Hypernode are frequently updating their free service to help protect the Magento community.
Check your logs for suspicious activity. This is easier said than done and can be very tedious.
The most effective installable tool that I’ve used is a package called OSSEC. OSSEC is an open source, host-based intrusion detection system (HIDS). OSSEC can analyze your logs, detect root-kits, detect log errors and monitor file system changes. If you’re interested in trying OSSEC then it can be found here: http://ossec.github.io/downloads.html. It will require some server experience to install and configure.
If you aren’t familiar with setting up server software then you should sign up for a security scanning service like Sucuri. Your web host or integration partner may recommend a similar monitoring service that works best with your hosting platform. Services like this can protect a site against many types of attacks and can perform frequent file system scans to protect against hacked files.
It’s impossible to stop all hacks. The only way to truly prevent it is to unplug the computer and never turn it back on. Since that isn’t a realistic option, you can use the advice in this article to begin to fortify your storefront and to help protect your customer’s data.