The FBI sent out an alert about the popular open-source import utility called Magmi, which is used by many open-source users of Magento 1.
The agency warns cybercriminals may be able to install an e-skimmer that can steal payment card and personally identifiable information from customers.
“According to cyber threat intelligence companies, at least one “Magecart Group” is known to place the e-skimming script directly on e-commerce websites and use HTTP GET requests to exfiltrate the stolen payment data via proxies (compromised websites).”
“Victims normally encounter the e-skimmer as a small snippet of script appended to their e-commerce website’s source code. The FBI has identified new IOCs which may assist in network defense.”
NOTE: This FBI warning DOES NOT concern Adobe’s Magento Commerce cloud-based editions and impacts only the older self-hosted Magento 1 editions which have Magmi extension installed.
Magento 1 and Magmi
The Magmi version identified with this vulnerability is Magento Mass Import (MAGMI) software version 0.7.22 and it is not known if other versions also may have this vulnerability.
Magmi version 0.7.22 is the last version available on the Sourceforge open-source software development platform. A newer version 0.7.23 is available on Github, which claims to address Authentication issues updated 17 months ago.
Because Magmi is open-source software and works on older Magento 1 installations, it has seen very little development.
When Adobe purchased Magento in 2018, it moved the future of the platform to cloud-based commerce, effectively eliminating dooming future open-source releases.
Still, there are thousands of websites using Magento 1 software and web hosting service Nexcess even announced it would continue to offer security updates past Adobe’s end-of-life date of June 2020.
Despite many technology improvements in online commerce, Magento 1 still has its fans and there are still many professional developers maintaining extensions for the platform.
However, extensions that are no longer being developed can become targets by hackers as they can exploit security holes that will not be identified quickly or patched.
This seems to be the case with Magmi and the FBI has issued its standard security measures recommendations against e-skimming for the Magmi vulnerability.
FBI Recommendations Against E-Skimming
- Update and patch all systems, to include operating systems, software, and any third-party code running as part of your website.
- Keep anti-virus and anti-malware up to date and firewalls strong.
- Disable extensions and functions within your e-commerce website that are not being used.
- Change default login credentials on all systems.
- Monitor requests performed against your e-commerce environment to identify possible malicious activity.
- Segregate and segment network systems to limit how easily cybercriminals can move from one to another.
- Assign unique, complex local administrator passwords to all workstations and other network endpoints to limit potential exposure using the same compromised password.
- Assign permission codes to website directories and files to help prevent unauthorized access to files containing website scripts.
- Secure all websites transferring sensitive information by using secure socket layer (SSL) protocol.
- Install third-party software/hardware from trusted sources. Coordinate with the manufacturer to ensure their security protocols prevent unauthorized access to data they store and/or process.
- Patch all systems for critical vulnerabilities, prioritizing timely patching of internet-connected servers for known vulnerabilities and software processing internet data, such as web browsers, browser plugins, and document readers.
- Actively scan and monitor weblogs and web applications for unauthorized access, modification, and anomalous activities.
- Regularly conduct network penetration tests, code integrity checks, and dynamic application security tests on websites to identify vulnerabilities or misconfigurations.
- Strengthen credential requirements and implement multifactor authentication to protect individual accounts.
- Conduct regular backups to reduce recovery time in the event of a compromise or cyber intrusion.
- Educate employees about safe cyber practices. Most importantly, do not click on links or unexpected attachments in messages.
- Maintain an updated Incident Response Plan addressing cyber threat response.
Here is the complete FBI warning on Magmi that includes additional vital details.
Magento 1 users that use Magmi may wish to consider using other import tools or uninstall Magmi completely if not needed.
If you like to talk about this story
Please head over to our Facebook Group for Small Business Sellers and interact with other small business owners.