Magento continues to be the target of hackers; this time they are trying to exploit people who have not yet patched certain vulnerabilities, and asking them to install a fake patch.
The fake patch is being promoted in relation to a real vulnerability known as the Shoplift Bug. This bug has a real patch, SUPEE-5344, which was released almost a year ago. However, there are a large number of sites that have not yet installed the patch, and this means that attackers have the potential to compromise thousands of Magento online stores.
Magento is an incredibly popular ecommerce platform which was originally managed by eBay, but has since been spun off as a separate company. It has users of all sizes, from multi-national companies such as Nike and Olympus to independent store owners. The Shoplift Bug is a serious remote code execution bug which allows attackers the opportunity to get admin access to the store. This means that they can then take control and create other accounts, install other malware, or even access customer payment information and hijack the script that strips out credit card details when payments are being processed.
The vulnerability opened up the opportunity for attackers to siphon off sensitive details, making it a critical problem – yet in spite of this there are still thousands of un-patched stores. Many of those have fallen victim to attacks using bots which deliver the Neutrino exploit kit, but there are still some store owners blissfully unaware as to how vulnerable their store really is.
Magento 2.0 is available now, and it is probably a good idea for store owners to upgrade to it, since it not only patches this vulnerability, but it includes a number of other patches and updates that make the site generally more secure and stable, even under heavy load.
If you are heavily invested in the Magento 1.9x community edition infrastructure, or the older versions of the Enterprise Edition, then you might want to wait to update, because there are a lot of plugins and extensions which haven’t been upgraded as yet. If you are going to stay on the older version for a little while longer, then it is important that you install all the SUPEE updates (directly from the Magento website, not via a third party), and any other incremental updates that have been made available by the developers.
Updating is easy, and will protect your customer data, your store and your reputation.