About the Author: Amit Bhaiya

Amit Bhaiya, CEO of DotcomWeavers, brings over 15 years of expertise in the eCommerce industry, offering deep insights and innovative strategies that drive digital growth and transformation for businesses.

For many, the first months of the year are a time to plan upcoming initiatives and endeavors. Although not nearly as exciting as new product offerings and integrations providing increased capabilities, have you prioritized cybersecurity throughout these plans? Cybersecurity is like physical infrastructure: few people get overly jazzed about road construction, yet it’s a necessity. Most consumers probably don’t choose their online retailers by figuring out your cybersecurity implementations to see how protected their data will be. However, data breaches and incidents that earn your digital storefront a poor reputation when it comes to cybersecurity will have your customers speeding away. For Adobe Commerce, what are the top threats and what can you do to protect against them?

eCommerce Cybersecurity—Causes for Concern

There’s a trio of eCommerce cybersecurity statistics released in 2021 that you should know—and if you aren’t already sitting down, you may want to. According to research conducted by cybersecurity company Imperva:

  • 57% of all eCommerce attacks were conducted by bots (33% average across all other sectors). For additional context, retail cybercrime attempts were divided according to:
  • 57.44% bot attacks, with 13% more per month in 2021 than in 2020
  • 22.55% distributed denial of service (DDoS) attacks—a technique that prevents legitimate user traffic from reaching your site by tying up network resources.
  • 20.02% categorized under the types of web application attacks defined by the Open Web Application Security Project (OWASP)—notably, injection at 47.8% and security misconfiguration at 40.7%, respectively ranked third and fifth on OWASP’s Top 10 Web Application Security Risks.
  • 25% of eCommerce traffic comprises “bad bot” activity. 66.3% is human traffic, and the remaining 8.9% is “good bot” traffic.
  • 33% of login attempts on eCommerce sites were carried out maliciously to access and take over someone else’s account (26% average across all other sectors).

When many people think of cybercriminal activity, scams like “phishing” often come to mind. These attacks remain a threat that will target your staff, but your Adobe Commerce site must be able to identify and deter bot attacks.

One aspect that makes bot attacks so difficult to defend against is their varying levels of sophistication, as the most advanced bots can mimic organic mouse movement and clicks, among other techniques, to evade detection.

Motivations Behind Attack Bots

On top of evasive attack bots, the diverse motivations behind their usage significantly complicate how or what to defend. For example, cybercriminals may use bots to steal or target:

  • Personally Identifiable Information (PII) and financial data (e.g., credit or gift card information) from your customers, commonly accessed via “account takeovers” or e-skimmers
  • Your data, prices, and content (i.e., “scraping” carried out by dedicated cybercriminals or competitors)
  • Available inventory (e.g., “scalping” goods, adding inventory to carts to force listings to show “out of stock” notices)
  • Payment processing functionality to test whether stolen credit card numbers can be used (i.e., “carding”)

Magecart—An Magento Cybersecurity Example to Learn From

In recent years, one of the most infamous cybercriminal groups to target eCommerce—and Magento (now Adobe Commerce), in particular—has been “Magecart.”

The name, which refers to both the group and the injected code that serves as their standard attack method, is even a portmanteau derived from “Magento” and “shopping cart.” This is due to one of the group’s most devastating attacks, which was executed on online retailers still utilizing Magento 1 in summer 2020 despite its then-new status as legacy software.

Upon reaching “end-of-life,” over 2,800 eCommerce storefronts relying on Magento 1 fell victim to the widespread Magecart attack. In this instance, referred to as “Cardbleed,” Magecart exploited a “zero-day” vulnerability to connect to the admin panel and deliver malware. “Zero-day” refers to cybersecurity vulnerabilities that are unknown by the software provider and support community or that are known but lack a corrective patch or update.

Once Magento 1 became legacy software and no longer received updates, the hackers struck.

Magecart’s Techniques

Magecart’s techniques generally involve JavaScript (JS) injections—mentioned above as the most common OWASP-defined threat according to Imperva’s statistics. Magecart injections collect payment information via e-skimmers. Some injections rely on bot-driven deployment, and most target third-party payment integrations on eCommerce sites.

After cybercriminals have obtained stolen financial data, their activity often progresses to bot-driven “carding” efforts to determine the information’s viability.

Evaluate Your Integrations and Their Providers

By targeting commonly used integrations, or the “software supply chain,” Magecart can bypass your cybersecurity and compromise your site via third-party connections. All of your site integrations must be thoroughly evaluated pre-implementation to ensure the coding and provider should be trusted.

If you’re an eCommerce business still operating on Magento 1, contact us to discuss migrations options to the current 2.4 version for significantly improved cybersecurity.

“Carding” Explained

Carding is the verification method many cybercriminals use to determine whether stolen payment card data can still be used. To do so, the stolen card numbers are used on eCommerce sites, typically via small-value purchases. Criminal activity aside, you stand to suffer from financial and related penalties if your digital storefront is used to perform carding, as hackers will commonly file chargebacks and similar disputes.

Since cybercriminals are attempting to check large card volumes, bots are usually employed to automate carding efforts.

Signs Your Site is Targeted for Carding

If you’ve noticed the following suspicious activity occurring on your eCommerce site, cybercriminals may be using your payment processing for carding:

  • Substantial outliers in payments submitted from the same IP address
  • This indicator is more suspicious if a high percentage of the payments failed to process.
  • A sequence of purchases characterized by low total cost or low order quantities
  • Increased rates of abandoned carts, chargebacks, or attempts to purchase pre-paid gift cards

While some transactions may inadvertently give off the implications of carding, having to assess potential false positives is substantially more secure than risking your site hosting active criminal activity.

How to Secure Your Adobe Commerce Site—A Quick Checklist

Adobe regards cybersecurity as a “shared responsibility model,” in that digital storefront operators bear certain responsibilities to safeguard themselves.

Guidance documentation regarding cybersecurity best practices for Adobe Commerce / Magento functions as a quick checklist you can follow to better ensure your site’s security:

  • Check to ensure proper security configurations and coding
  • Note that security misconfigurations represent 40% of the OWASP-defined threats, according to Imperva’s statistics.
  • Perform vulnerability scanning and penetration testing—both of which are required for your PCI DSS compliance—by partnering with a third-party provider.
  • Vulnerability scanning evaluates your site (or any element of your IT environment) to detect potential means that cybercriminals may exploit to access systems, data, and other resources.
  • Penetration testing is considered a form of “ethical hacking,” during which test performers attempt to bypass your cybersecurity and provide actionable insight afterward.
  • Implement identity management to monitor your personnel’s user account logins, digital or physical access, and activity regarding systems, data, and other critical IT assets.
  • Promptly install all updates and deploy patches released by Adobe. Although this is generally the most effortless item on the checklist, it’s also one of the most critical. Adobe’s responsibility for providing a secure platform and its resources for performing self-assessments (e.g., vulnerability scanning, penetration testing) will help identify and remediate avenues that cybercriminals may exploit.
  • Note that the massive Magecart attack occurred after Magento 1 had entered “end-of-life” (i.e., no longer receive updates or patches), demonstrating just how crucial it is that you install updates and deploy patches.
  • While update installation and patch deployment should occur promptly, it’s also critical to first ensure that doing so will not cause any other site operation or integrations—particularly those that have been customized—to malfunction. DotcomWeavers can help confirm that updates and patches won’t affect your site’s operation and functionality.
  • Utilize the Magento Commerce Security Scan service provided natively within the platform, which conducts more than 21,000 tests and makes remediation recommendations.
  • You musy enable and opt into the Magento Community Security Scan service.
  • You can configure the scanning tool and schedule it to run automatically.
  • Extensively evaluate all third-party partners, service providers, and integrations to ensure they’ve implemented and follow proper cybersecurity measures (and are PCI DSS compliant).
  • Protect your site with Hypertext Transfer Protocol Secure (HTTPS) for secure communications via Transport Layer Security (TLS).
  • Perform regular configuration and data backups.
  • Establish and document a cybersecurity incident response plan so that your personnel readily know what to do should your protections be compromised.
  • Enable reCAPTCHA, a free Google service that requires human interaction on a webpage to deter bot and other brute force intrusion attempts.
  • reCAPTCHA will help prevent carding and other bot-driven efforts.
  • Enforce multifactor authentication for your personnel and strongly encourage your customers to enable it when logging into their accounts on your site.
  • Multifactor authentication requires the user to complete two or more separate identify verification steps. Should traditional username and password credentials become compromised, the additional authentication steps will prevent malicious actors from accessing accounts.
  • Secure all phpinfo files and avoid known PHP function vulnerabilities (e.g., md5, eval, srand).

Periodically running through this cybersecurity checklist and following the Adobe Magento Best Practices Guide will help deter cybercriminals from targeting your eCommerce site. If you need help with secure configuration or implementation, we’re here to help.

Your PCI DSS Compliance

You should keep in mind that, while Adobe lists the above as cybersecurity “best practices,” some are explicitly stated requirements of the Payment Card Industry Data Security Standard (PCI DSS). For example, changing all vendor-supplied security configurations and passwords and partnering with an approved third party to perform quarterly vulnerability scans are both included within the PCI DSS’ 12 Requirements and numerous sub-requirements.

The PCI DSS applies to any organization collecting, processing, transmitting, or storing cardholder data. Therefore, all eCommerce merchants must adhere to the compliance framework. Importantly, regardless of any third-party service provider’s own PCI DSS compliance, your organization also remains culpable should a breach of cardholder data occur—even if the provided service is identified as being at fault.

We can’t stress evaluating your integrations and providers pre-implementation enough.

While PCI DSS compliance efforts may seem burdensome, strict internal enforcement will significantly bolster your Adobe Commerce / Magento site’s security—in addition to helping you avoid non-compliance fines and penalties.

Secure Your Adobe Commerce Site with DotcomWeavers

Unfortunately, cybercrime is all too prevalent, and online retailers are no exception. To best protect yourself, you need to remain up-to-date on the latest threats and vulnerabilities you face, as well as ensure that all cybersecurity measures have been implemented, configured, and continue to operate properly.

Adobe’s own documentation and the PCI DSS compliance framework provide two of the best guidance materials you can reference.

Outside of explicit cybersecurity solutions and services, DotcomWeavers will develop, launch, and support your eCommerce site without exploitable loose ends. Our 14-year track record of success and achievement as a Silver Partner within the Adobe Solution Partner Program (SPP) are a testament to that.