Magento is one of the most popular e-commerce platforms, powering millions of businesses worldwide. Created to simplify the process of creating and running an online store, Magento has become the go-to for small and large retailers alike.
Unfortunately, Magento has also found its way into the crosshairs of some of the world’s largest and most dangerous hacker groups. Being an open-source piece of e-commerce software, Magento uses MySql or MariaDB for data storage and management. This naturally presents a wide variety of risks for those using Magento, including but not limited to credit card theft, Cryptojacking and SEO spam.
Increasingly, Magento business owners are also being forced to contend with the threat of SQL injection. Irrespective of wider security measures and robust data protection protocols, Magento SQL injection makes it surprisingly easy for hackers to compromise a store’s entire database.
What Can a Magento SQL Injection Do?
For obvious reasons, your database is perhaps the most important and sensitive element of your entire store. The threat posed by SQL injection is nothing new, though has escalated significantly over recent months and years.
Carried out successfully and without the knowledge of the store owner, a Magento SQL injection can be used to do the following:
- View and copy the database’s contents
- Amend and add to the store’s database
- Delete the database in part or in full
- Hijack customers’ credit card details
- Steal admin credentials for future penetration
A key issue with Magento SQL injection being that by the time the problem is detected, the damage may already be done. Only by identifying the presence of an attempted SQL injection at the earliest possible stage can the consequences of such an attack be minimised or avoided entirely.
What is Magecart?
Magecart is the name adopted by an extensive consortium of malicious hacker groups, which targets e-commerce businesses and their customers. Primarily, Magecart sets its sights on customers credit card details and other payment information.
In e-commerce, the fact that sensitive payment information must be transmitted immediately creates an opportunity for exploitation. The problem being that the vast majority of e-commerce websites do not sufficiently protect themselves against everyday vulnerabilities.
Targeting e-commerce businesses worldwide since 2016, Magecart is no newcomer to the scene. Just a few of the major brands and online businesses that have been targeted by Magecart over the years include the following:
- Ticketmaster UK
- British Airways
- NewEgg electronics retailer
- Shopper Approved
- Topps sports collectable website
- Atlanta Hawks fan merchandise store
- Forbes magazine
The threat posed by Magecart is such that the group even earned a place in the annual ‘Most Dangerous People On The Internet’ rankings published by Wired in 2018. Nonetheless, evidence suggests that far too many online businesses – particularly e-commerce enterprises – are taking little to no direct action to protect themselves from Magento SQL injection.
Protection from Pivotal
Fronting the fightback against Magecart and the wider threat posed by SQL injection, the developers at Pivotal have launched a simple yet effective SQL Injection Detector tool. For the first time, e-commerce business owners and webmasters can be notified of an attempted (or successful) SQL injection within minutes of the attack.
Pivotal’s SQL Injection Detector tool is simple, lightweight and easy to use, continuously checking your Magento 2 database for changes to content rendered to user. If any malicious changes are detected – including false positives – an alert is generated immediately. This provides administrators with the opportunity to reverse the changes and avoid the consequences of SQL injection going undetected.
Pivotal is inviting developers to join the fight against Magecart, by contributing to the project established on Github. Committed to helping Magento store owners worldwide mitigate the threat posed by increasingly sophisticated hackers, Pivotal provides an extensive range of online safety and security services for the proactive e-commerce enterprise.
For more information on the new SQL Injection Detection tool or to discuss Magento security in more detail, contact a member of the team at Pivotal anytime.