MAGENTO WEBSITE SECURITY REPORT Contact Us www.foregenix.com/webscan Tel: +44 845 309 6232 5th October 2020 Produced by Foregenix overview whO is fOREGENIX? We are a leading independent cybersecurity company with a focus on keeping the world’s payment systems secure. With over a decade of experience in the Payment Card Industry (PCI), we help merchants, payment processors, banks and other operators to ensure they are securing their environments effectively while complying with industry security standards. We won the Queen’s Award for Enterprise in 2019. what do we do? Compliance & Risk Digital forensics & response cybersecurity technology 5th October 2020 overview what is webscan? We currently monitor over 300,000 Magento Merchants globally WebScan is our comprehensive non-intrusive website scanning solution. It analysis websites for specific security vulnerabilities to produce a risk score. The scans are passive, meaning it looks for publicly available information (just like criminals do), and at no point does it try to exploit vulnerabilities. WebScan looks for: • Malware (including card skimmers) • Platforms and patching information • SSL issues We like to say that WebScan is the most up-to-date website scanning solution in the market, as it is constantly updated by both our forensic team and Threat Intelligence Group. 5th October 2020 The Risk Categories CRITICAL Already hacked, card data actively being stolen hIGH At risk of being hacked - easily mEDIUM Some issues, unlikely to get hacked LOW Hacking unlikely THIS IS THE PROBLEM ZONE overview 5th October 2020 overview Summary 200,000 decrease 93% 55% Nearly websites remain on the Magento 1 Platform Significant in the number of Magento websites of Magento 1 websites are High/Critical Risk of Magento 2 websites are High/Critical Risk Magento remains the most targeted platform by criminals 5th October 2020 webscan results website numbers (all magento) 350000 280000 210000 140000 70000 0 May June Early July Late July Magento 1 Early Aug Late Aug Early Sept Late Sept Early Oct Magento 2 5th October 2020 WEBSCAN RESULTS CRITICAL RISK Websites with Critical Risk have already been hacked (with card data being actively stolen). This month we have seen a significant drop in the % of hacked Magento 1 and 2 websites, but this number is still much bigger than usual. 5000 2.5 4000 2.0 3000 1.5 1.63% 1.0 Late Sept Magento 1 May Late July Early Aug Late Aug 0.35% 0.67% 0.37% 0.72% 0.45% 0.76% Early July 0.61% June 0.79% 0.93% 0.93% 0.86% 424 Early Oct Early Sept 0.43% Early Sept 418 338 1337 359 Late Aug 0.43% Early Aug 1423 415 1529 532 Late July 0.52% Early July 1617 418 1998 June 0.0 0.47% May 0.5 0.48% 0 371 372 1907 1000 2040 3003 2000 2.34% Percentage of total sites 4565 actual numbers Late Sept Early La Oct Magento 2 5th October 2020 WEBSCAN RESULTS high RISK Websites with High Risk have significant security issues that make them very vulnerable to criminals. The sites have one or more of the following: • Security issues with website setup • Non Card Harvesting Malware • Missing critical framework security patches • Has known framework vulnerabilities May June Early Late Early Late Early Late Early July July Aug Aug Sept Sept Oct Magento 1 0 54.32% 91.38% 54.66% 51.30% 90.49% 93.49% 45.95% 50.98% 93.50% 94.85% 51.69% 20 95.84% 40 53,112 53,672 167,873 176,546 49,794 44,186 47,253 44,813 39,993 39,415 0 37,703 40000 185,846 189,596 197,378 201,267 207,925 80000 48.70% 60 93.61% 120000 51.15% 80 49.05% 160000 185,521 100 206,021 200000 94.19% Percentage of total sites 93.96% actual numbers May June Early Late Early Late Early Late Early July July Aug Aug Sept Sept Oct Magento 2 5th October 2020 WEBSCAN RESULTS card-harvesting malware distribution 12.4% 87.6% Magento 2 Magento 1 5th October 2020 WEBSCAN RESULTS Magento 1 & 2 - Loaders & skimmers We also track how many websites are infected with loaders and skimmers. Loaders - are small pieces of code designed to load in additional malicious code onto a website. Skimmers - are malicious scripts designed to scrape card data and customer information from a site’s payment page before sending them off to the attacker. magento 1 1250 701 1000 750 293 500 437 The charts to the right show which regions in the world have the highest infection rate, and below shows change over time. 250 0 5000 North Europe America 64 42 21 32 Asia 200 3000 1 6 Oceania South America Africa Loader 250 Loader 11 5 Skimmer magento 2 Skimmer 4000 360 125 150 2000 100 1000 50 90 20 29 0 0 01/05 01/06 01/07 01/08 20/08 07/09 21/09 05/10 North Europe America 4 7 1 5 Asia 0 0 Oceania South America 0 0 Africa 5th October 2020 WEBSCAN RESULTS magento 1 & 2 - framework issues Framework vulnerabilities are usually bugs in the software used to run your website. “Framework security patches missing” means a website is missing security patches/updates that are already available. It’s good to note that patching in Magento 2 works a bit differently than in Magento 1. With Magento 1, they released standalone security patches. This meant that websites could install these patches over older versions of Magento 1 and they would still be secure against the latest threats without having to update the entire website. Framework issues also include insecure website set up, such as leaving default settings in place (e.g. admin panel location, etc) With Magento 2, they abandoned this practice and websites are expected to upgrade to the latest version of Magento should they want to stay secure. magento 2 PERCENTAGES magento 1 PERCENTAGES 60 50 70 Framework Patches Missing 52.1% Framework Vulnerabilities 50.7% 40 30 36.8% 60 50 40 37.1% 30 20 20 10 10 5.7% 0 66.4% North Europe America 6.6% Asia 2.7% 2.9% 2.2% 2.3% Oceania South America 24.9% 4.3% 0.4% 0.4% Africa 0 North Europe America Asia 4.3% 0.0% Oceania South America 0.0% Africa 5th October 2020 WEBSCAN RESULTS Malware Types GAfavicon 0.37% GAicu 0.77% ImageHarvest Prototype Polymorphic 2.25% Other malware types have risen in proportion due to this. 0.74% 1.39% Grelos 2.87% Keeper Inter These are the types of malware identified in our most recent Magento scan. ‘Cardbleed’, which was a previously-unknown card data skimmer that attacked thousands of websites just before our last report, has dropped significantly. 4.78% 10.07% Currentdatas 11.43% Cardbleed 0% 48.78% 10% 20% 30% 40% 50% 60% 70% 80% 5th October 2020 WEBSCAN RESULTS magento 1 & 2 - Malware Trends We are tracking which malware type is infecting Magento websites. Due to the Cardbleed attack in September, we have broken the data into two graphs. The first graph shows how all malware combined compares with the spike of Cardbleed, while the second graph shows the trend over time without it. This month, we can see a significant decrease of Cardbleed malware, which may correlate with the decline in Magento websites. However, it is still the biggest threat to Magento websites and is bigger than all other malware combined. currentdatas 3500 Other Malware 3000 keeper 500 Cardbleed 2500 inter 600 GAfavicon 400 2000 grelos 300 1500 imageHarvest 200 prototype 500 100 polymorphic 0 0 1000 06/07 13/07 05/08 19/08 02/09 18/09 01/10 GAicu 06/07 13/07 05/08 19/08 02/09 18/09 01/10 5th October 2020