Hackers still targeting ecommerce websites

Discussion in 'Ecommerce Forum' started by dotcomdude, Sep 12, 2018.

  1. dotcomdude

    dotcomdude UKBF Regular Free Member

    251 31
    I monitor the source code for a few ecommerce websites owned by my clients. I just had an alert this morning and discovered that the busy little buggers had installed some code making use of the IndoXploit.

    This is basically a menu system with numerous commands that they can easily run to discover server details and to execute commands like uploading files, cracking cpanel passwords, grabbing SMTP login details, defacing the website, installing adminer database manager and checking known locations for common config files like Wordpress, Magento etc.

    In my experience most of these hacks run silently - ie, they don't do anything that you would notice as either a website user or admin. They usually take a copy of the database and add some code to email off new customers card and name/address details as they are entered.

    I'm going to be quite blunt. I've been doing this job for about 16 years, and I've never yet seen [the source code of] a successful ecommerce website that hasn't been hacked.

    So, if you've got an ecommerce website that's doing OK*, get someone to check the source code to see if it's been hacked.

    *By doing OK, I mean coming up high in organic searches or being advertised through PPC. Only inexperienced hackers target ecommerce websites that are out in the wilderness on their own...
     
    Posted: Sep 12, 2018 By: dotcomdude Member since: Jul 27, 2018
    #1
  2. WebDesires

    WebDesires UKBF Regular Full Member

    225 39
    I'm going to be blunt. Whomever is associated to the code of those sites needs to learn better security practices, also perhaps stop using said ecommerce software, what ecommerce software do these clients mostly have?

    I also monitor many ecommerce stores for compromised code, in fact many of my clients come to us because they have been compromised. Not had any new compromises once we have cleaned up bad code, removed bad practices and secured everything correctly.

    There simply is no excuse for any web professional not to spend time learning security principles and at least trying to keep their work/code compliant and secure.

    But you are right it is very common, a lot of wannabe developers out there who know how to mash code together just about but don't learn the most important thing in programming, security!
     
    Posted: Sep 12, 2018 By: WebDesires Member since: Feb 23, 2016
    #2
  3. dotcomdude

    dotcomdude UKBF Regular Free Member

    251 31
    Mostly Magento CE, but I've also seen it in custom code, Prestashop, Joomla and of course Wordpress.
     
    Posted: Sep 12, 2018 By: dotcomdude Member since: Jul 27, 2018
    #3
  4. WebDesires

    WebDesires UKBF Regular Full Member

    225 39
    and all those fall foul to third-party plug-ins and modifications. Any particular recurring causes of a breach you can list? I've found commonly it is administrator passwords being too weak and admin panel login forms being too easy to abuse (ie. slam with guessed passwords).
     
    Posted: Sep 12, 2018 By: WebDesires Member since: Feb 23, 2016
    #4
  5. dotcomdude

    dotcomdude UKBF Regular Free Member

    251 31
    The most recent ones I have seen:

    Custom code ecommerce site. Site owner's computer was hacked/virused, so everyone in their private mail contacts started getting spam/phishing emails and then some source code was changed on the site to email across login details. I never got to see the owner's computer, so I don't know how they originally got in.

    Magento website, js code was added to popup spammy sites in a new tab. Never found how that one occurred, restored code and added a new routine to monitor those directories in case it happened again.

    Today's Magento website - A hacker from Indonesia found a weakness in an extension they were using and at 6am UK time uploaded those files I mentioned in the OP. Logs suggest they hadn't actually tried to execute the code, so I restored and modified the code a little to stop it happening again.
     
    Posted: Sep 12, 2018 By: dotcomdude Member since: Jul 27, 2018
    #5
  6. Alan

    Alan UKBF Legend Full Member - Verified Business

    6,219 1,719
    Being a bit of a WP security geek, I would say that 70+% of successful hacks on WordPress are SQL injections via unsantitized user input in poorly coded plugins.

    A single bad line line of code in a WP plugin and I can get access to your whole file system and database
    this is an example of a seemingly innocent line of code that just appears to read the options table for a specified option_id but creates a massive security hole

    $result=$wpbd->get_results("select * from ".$wpdb->prefix."options where option_id = ".$_GET['id']);

    All I need is two tools, 1 to scan to see if you actually have the plugin with bad code and the other to make use of the resulting code.

    No strong password will save you, as with access to the database I can reset passwords, create users etc and access to the file system I can alter what ever code I like to create more backdoors etc. etc.

    The same 'concept' of SQL injection weakness applies to all the other systems mentioned, but I can't give you example of code for them :)
     
    Last edited: Sep 12, 2018
    Posted: Sep 12, 2018 By: Alan Member since: Aug 16, 2011
    #6
  7. WebDesires

    WebDesires UKBF Regular Full Member

    225 39
    Let me note that this is not only an example of poor programming, but also poor server setup and security too! No server should even allow this regardless if the code is vulnerable.
     
    Posted: Sep 12, 2018 By: WebDesires Member since: Feb 23, 2016
    #7
  8. Alan

    Alan UKBF Legend Full Member - Verified Business

    6,219 1,719
    Whilst it is true that no server should allow it, there are very few servers that are truely hardened against all potential bypasses and mod security / WAF bypasses are being found all the time. Updating rule sets creates a risk to existing applications and so many hosts ( especially the larger ones with more to damage ) tend to be slow in updating their rule sets.
     
    Posted: Sep 12, 2018 By: Alan Member since: Aug 16, 2011
    #8
  9. RjMaan

    RjMaan UKBF Contributor Free Member

    55 5
    I want to add something here that its not only an E commerce sites that are under attack by hackers. There are number of other sites as well which are under hackers attack. I think one should keep the security plug ins of his site up to date to avoid such attacks.
     
    Posted: Sep 13, 2018 By: RjMaan Member since: Mar 26, 2018
    #9
  10. mattk

    mattk UKBF Newcomer Free Member

    1,735 711
    What steps can be taken at the server level to avoid Alan's example?
     
    Posted: Sep 13, 2018 By: mattk Member since: Dec 5, 2005
    #10
  11. Inva

    Inva UKBF Regular Free Member

    369 62
    I believe this statement is slightly wrong. Generally there is very little manual hacking these days and it involves high end websites/companies. The very vast majority of hacks are automated bots and they do not target e-commerce websites but websites which are based on a generic CMS, for the simple reason that their code is known and they are used massively. Custom coded websites usually do not suffer from this (unless someone takes a personal interest in said website). Being that most e-commerce (and generally most websites) are based on such CMS systems, it makes sense that they will get hacked sooner or later.

    This is rarely an issue though, most hacking happens because of bad coding and not because of bad server security.
     
    Posted: Sep 13, 2018 By: Inva Member since: Aug 10, 2018
    #11
  12. antropy

    antropy OpenCart Experts Full Member - Verified Business

    3,375 583
    Hacks on ecommerce sites are getting more and more common.

    The most frequent one we see is a payment gateway hack where card details are emailed to a throw-away Russian email address.

    We also see a common one where a fake payment option is added in an iframe which sends the payment to a PayPal address.

    The most common way in seems to be weak passwords, see here:
    https://www.antropy.co.uk/blog/are-passwords-with-numbers-instead-of-letters-secure/

    A very complex password is a pain to type and remember which is the reason people go for simple ones.

    A good solution is to use passwords from here which are secure, memorable and easy to type:
    http://correcthorsebatterystaple.net/

    Paul
     
    Posted: Sep 13, 2018 By: antropy Member since: Aug 2, 2010
    #12
  13. dotcomdude

    dotcomdude UKBF Regular Free Member

    251 31
    I'm glad it's not just me that's seeing them. In my experience the subject just isn't on the radar of the typical website owner or even many developers. If I didn't proactively look for them - or have software looking for them - I wouldn't see them either :)
     
    Posted: Sep 13, 2018 By: dotcomdude Member since: Jul 27, 2018
    #13
  14. antropy

    antropy OpenCart Experts Full Member - Verified Business

    3,375 583
    Nope it happens to everyone, it's silly to pretend it doesn't.

    I mean just look at the BBC news website technology section - most big companies have had data breaches (even tech giants Apple, Facebook, Microsoft etc.) with BA being the most recent.
     
    Posted: Sep 13, 2018 By: antropy Member since: Aug 2, 2010
    #14
  15. Inva

    Inva UKBF Regular Free Member

    369 62
    The secret to strong passwords is to use a formula. We have over 100 accounts in services left and right. Using the same password would be risky as if it's found out then we can get compromised on every front.

    So what we do is devise a password formula and use it to create a password for each service. Every password ends up being different. So basically we have 100 different passwords but don't remember any of them on top of our heads, we just have to remember the formula.

    For someone who has many accounts, this could be a useful practice.
     
    Posted: Sep 13, 2018 By: Inva Member since: Aug 10, 2018
    #15
  16. antropy

    antropy OpenCart Experts Full Member - Verified Business

    3,375 583
    Tell us more about your formula? ;):D

    Paul
     
    Posted: Sep 13, 2018 By: antropy Member since: Aug 2, 2010
    #16
  17. Inva

    Inva UKBF Regular Free Member

    369 62
    I'm afraid that's secret :p
     
    Posted: Sep 13, 2018 By: Inva Member since: Aug 10, 2018
    #17
  18. Steven001

    Steven001 UKBF Regular Full Member

    162 9
    Modern PHP coding techniques eliminate the possibility of sql injection but as mentioned when a smorgasbord of people with differing capabilities are allowed to create plugins for commercial eCommerce software you get issues: bugs, slowdowns and security flaws.

    This is the principal reason I refuse to use software like Wordpress, Magento etc. and push the idea that if you can code well and understand security, it's better to write the back end yourself, then you know exactly how to handle software conflicts, exceptions and attempted hacks.

    Online I see complaints with a lacking structure in .htaccess files on existing platforms like Wordpress to mitigate things like xss server side attacks, hide the PHP version, hiding file extensions, handling allowed file types and other standard security procedures that should be in place from the very start.
     
    Posted: Sep 13, 2018 By: Steven001 Member since: Aug 1, 2018
    #18
  19. dotcomdude

    dotcomdude UKBF Regular Free Member

    251 31
    Yes but this very much depends upon whether the developer knows about or chooses to implement modern PHP coding techniques.

    If I could have £1 for every developer I could find who was lacking in this area, I'd be a very rich man!
     
    Posted: Sep 14, 2018 By: dotcomdude Member since: Jul 27, 2018
    #19
  20. antropy

    antropy OpenCart Experts Full Member - Verified Business

    3,375 583
    Which, specifically?

    Paul
     
    Posted: Sep 14, 2018 By: antropy Member since: Aug 2, 2010
    #20