MAGENTO WEBSITE SECURITY REPORT

Contact UsContact Uswww.foregenix.com/webscanTel: +44 845 309 6232

19th October 2020Produced by Foregenix

MAGENTO WEBSITEMAGENTO WEBSITESECURITY REPORTSECURITY REPORT

19th October 2020

whO is fOREGENIX?whO is fOREGENIX?overviewoverviewWe are a leading independent cybersecurity company with afocus on keeping the world’s payment systems secure.

With over a decade of experience in the Payment Card Industry (PCI),we help merchants, payment processors, banks and other operatorsto ensure they are securing their environments effectively whilecomplying with industry security standards.

We won the Queen’s Award for Enterprise in 2019.

what do we do?what do we do?

Compliance& Risk

Digital forensics & response

cybersecurity technology

19th October 2020

what is webscan?what is webscan?overviewoverview

WebScan is our comprehensive non-intrusive website scanning solution. It analysis websites for specific security vulnerabilities to produce a risk score.

The scans are passive, meaning it looks for publicly available information (just like criminals do), and at no point does it try to exploit vulnerabilities.

WebScan looks for: • Malware (including card skimmers)• Platforms and patching information• SSL issues

We like to say that WebScan is the most up-to-date website scanning solution in the market, as it is constantly updated by both our forensic team and Threat Intelligence Group.

We currently monitor over

270,000Magento Merchants

globally

19th October 2020

The Risk CategoriesThe Risk Categories

CRITICALCRITICAL

hIGHhIGH

mEDIUMmEDIUM

LOWLOW

Already hacked, card data actively being stolen

At risk of being hacked - easily

Some issues, unlikely to get hacked

Hacking unlikely

THIS

IS TH

E PRO

BLEM

ZONE

overviewoverview

19th October 2020

SummarySummaryoverviewoverviewAround 180,000 websites remain on the Magento 1 Platform

Significant decrease in the number of Magento websites

91% of Magento 1 websites are High/Critical Risk

30% of Magento 2 websites are High/Critical Risk

Magento remains the most targeted platform by criminals

19th October 2020

website numbers (all magento)website numbers (all magento)webscan resultswebscan results

Magento 2Magento 1

0

70000

140000

210000

280000

350000

LateOct

EarlyOct

LateSept

EarlySept

LateAug

EarlyAug

LateJuly

EarlyJuly

JuneMay

19th October 2020

0.0

0.5

1.0

1.5

2.0

2.5

LateOct

EarlyOct

LateSept

EarlySept

LateAug

EarlyAug

LateJuly

EarlyJuly

JuneMay0

1000

2000

3000

4000

5000

LateOct

EarlyOct

LateSept

EarlySept

LateAug

EarlyAug

LateJuly

EarlyJuly

JuneMay

CRITICAL RISKCRITICAL RISKWEBSCAN RESULTSWEBSCAN RESULTSWebsites with Critical Risk have already been hacked(with card data being actively stolen). The good news is that critical websites have decreased this month, however it is stillhigher than the average from May to Early September.We believe this is still a vestige of Cardbleed’s attack.

Percentage of total sitesactual numbers

Magento 2Magento 1

1907

372

2040

371

1998

418 16

17

532 15

29

415 14

23

359 13

37

338

4565

418

0.86

%

0.48

% 0.93

%

0.47

%

0.93

%

0.52

% 0.79

%

0.61

%

0.76

%

0.72

%

0.37

%

0.45

%

0.67

%

0.35

%

2.34

%

0.43

%

3003

424

1.63

%

0.43

%

2660

343

1.48

%

0.35

%

19th October 2020

0

20

40

60

80

100

LateOct

EarlyOct

LateSept

EarlySept

LateAug

EarlyAug

LateJuly

EarlyJuly

JuneMay0

40000

80000

120000

160000

200000

LateOct

EarlyOct

LateSept

EarlySept

LateAug

EarlyAug

LateJuly

EarlyJuly

JuneMay

high RISKhigh RISKWEBSCAN RESULTSWEBSCAN RESULTSWebsites with High Risk have significant security issues that make them very vulnerable to criminals. The sites have one or more of the following:

• Missing critical framework security patches• Has known framework vulnerabilities

Magento 2Magento 1

Percentage of total sitesactual numbers

207,

925

37,7

03

206,

021

39,9

93

201,

267

39,4

15

197,

378

44,8

13

189,

596

47,2

53

185,

846

44,1

86

185,

521

49,7

94

93.9

6%

49.0

5%

94.1

9%

51.1

5%

93.6

1%

48.7

0%

95.8

4%

51.6

9%

94.8

5%

50.9

8%

93.5

0%

45.9

5%

93.4

9%

51.3

0%

176,

546

90.4

9%

54.6

6%

53,6

72

• Security issues with website setup• Non Card Harvesting Malware

167,

873

53,1

12

91.3

8%

54.3

2%161,

795

29,2

10

89.9

9%

30.0

2%

19th October 2020

card-harvesting malware distributioncard-harvesting malware distributionWEBSCAN RESULTSWEBSCAN RESULTS

Magento 2 Magento 1

11.4% 88.6%

19th October 2020

0

30

60

90

120

150

AfricaSouthAmerica

OceaniaAsiaEuropeNorthAmerica

0

250

500

750

1000

1250

AfricaSouthAmerica

OceaniaAsiaEuropeNorthAmerica

Magento 1 & 2 - Loaders & skimmersMagento 1 & 2 - Loaders & skimmersWEBSCAN RESULTSWEBSCAN RESULTSWe also track how many websites are infected with loaders and skimmers.

Loaders - are small pieces of code designed to load in additional malicious code onto a website.

Skimmers - are malicious scripts designed to scrape card data andcustomer information from a site’s payment page before sending themoff to the attacker.

The charts to the right show which regions in the world have thehighest infection rate, and below shows change over time.

magento 1

magento 2

450

700

296

373

4319

312

61

67

69

19

30

53

00

00

Skimmer

Loader

4359

71

0

1000

2000

3000

4000

5000Skimmer

Loader

19/1005/1021/0907/0920/0801/0801/0701/0601/05

19th October 2020

magento 1 & 2 - framework issuesmagento 1 & 2 - framework issuesWEBSCAN RESULTSWEBSCAN RESULTSFramework vulnerabilities are usually bugs in the software used to run your website.

“Framework security patches missing” means a website is missing security patch-es/updates that are already available.

Framework issues also include insecure website set up, such as leaving defaultsettings in place (e.g. admin panel location, etc)

It’s good to note that patching in Magento 2 works a bit differently than in Magento 1. With Magento 1, they released standalone security patches. This meant that websites could install these patches over older versions of Magento 1 and they would still be secure against the latest threats without having to update the entire website.

With Magento 2, they abandoned this practice and websites are expected to upgrade to the latest version of Magento should they want to stay secure.

0

10

20

30

40

50

Framework Patches Missing

Framework Vulnerabilities

AfricaSouthAmerica

OceaniaAsiaEuropeNorthAmerica

magento 1 PERCENTAGES magento 2 PERCENTAGES

0

10

20

30

40

50

60

AfricaSouthAmerica

OceaniaAsiaEuropeNorthAmerica

70

52.3% 51.3%

36.5%37.1%

5.7% 6.1% 2.9% 2.8%2.3%2.2%

0.4% 0.3%

65.9%

25.3%

3.0% 5.8%0.0% 0.0%

60

19th October 2020

Malware TypesMalware TypesWEBSCAN RESULTSWEBSCAN RESULTS

Cardbleed

Currentdatas

InterKeeper

Grelos

Polymorphic

Prototype

GAicu

ImageHarvest

GAfavicon

10% 20% 30% 40% 50% 60% 70% 80%0%

49.61%

12.46%

9.35%

5.35%

3.01%

1.62%

0.81%

0.84%

0.91%

0.81% These are the types of malware identified in our most recent Magento scan.Cardbleed is still the most common malware found on Magento websites, however the number of infections have been decliningsince their big attack.

19th October 2020

magento 1 & 2 - Malware Trendsmagento 1 & 2 - Malware TrendsWEBSCAN RESULTSWEBSCAN RESULTSWe are tracking which malware type is infecting Magento websites.Due to the Cardbleed attack in September, we have broken the data into two graphs. The first graph shows how all malware combined, compared with the spike ofCardbleed, while the second graph shows the trend over time, without it.

As mentioned, Cardbleed is still the most common malware found oninfected websites, however Currentdatas, Inter and keeper have been the three most common malware, historically.

t

0

500

1000

1500

2000

2500

3000

3500Other Malware

Cardbleed

13/1030/0918/0902/0919/0805/0813/0706/070

100

200

300

400

500

600

13/1030/0918/0902/0919/0805/0813/0706/07

GAfavicon

GAicu

imageHarves

prototype

polymorphic

grelos

keeper

inter

currentdatas

19th October 2020

our insightsour insightsWe have seen a decrease on High and Critical risk websites since the last report. Even though this is good news, we cannot let our guard down as we expect more large scale attacks to occur; as all Magento 1 websites are, and will continue to be, vulnerable (no security patches).

We urge Magento 1 and 2 website owners/administrators to check their configuration/set-ups and make sure it’s secure. If possible, they should invest in website security, if not, they should at least take on cyber insurance. Magento 1 websites owners/administrators should, without a doubt, invest in website security before the next big attack.

For free guidance, check out our Magento Security Insights. Many of the simple changes we have been advising are precautions that could prevent Cardbleed’s exploit, or any exploit for that matter -- though not for certain.

Additional resources

Magento Security Insights Page

foregenix.com/magento

Use our free scanner to understand your website security posture

foregenix.com/webscan

Try out our website security solution, FGX-Web

foregenix.com/fgx-web