Recently our security experts have been busy overhauling our free external scanning tool. Having done some fine tuning, added a plethora of new scanning capabilities and given it a lick of new paint, it's now ready for the public!
Those of you familiar with our older scanning tool will notice a big difference. The traffic light risk system has been expanded to include a score as well as a new graph so that you can track your results over time (or, have one of our security team email results to you weekly, at no cost). Our scanner is now able to present even more information about Magento based websites, making it - we believe - the most comprehensive Magento malware scanner available. It also checks for valid SSL certificates; if a website isn't 'https' it's flagged as unsafe.
Alongside changes to the initial results, we've also added some handy tabs underneath the results so that you can gain a deeper insight into any potential vulnerabilities the scanner may flag up.
As industry leaders in cybersecurity, we take an active interest in the threat landscape. In a bid to learn more about what the current state of play was for Magento, we put our new scanner to good use. We ran it against 217,946 Magento websites and found that 5% were hacked and harbouring credit card harvesting malware, subsequently leaking cardholder data to third party attackers.The most staggering result of the scan was that 86% of Magento websites were running out of date (unpatched) software. If they’re not already on a list of websites waiting to be hacked, they soon will be (our researchers believe that most of these sites could be hacked in under an hour).
Keeping your software up to date with the latest versions is probably the cheapest way to help your business remain free of unwanted/criminal activity. Patches are released every few months and so keeping an eye on the Magento Security Centre for updates will benefit you. The security centre also provides you with Magento security news, best practices and the option to report any security issues you may find.
Patching isn’t always the easiest of feats, but the security benefits speak for themselves. Would you rather be forced to conduct a forensic investigation, pay for breach costs/liabilities, fines and deal with unhappy customers, or take the steps necessary to patch your environment? The average penalty for losing card data is £36,500.
Our research shows the majority of issues among hacked websites are:
- Out of date (unpatched) software
- Websites with default settings
- Lack of security monitoring
- Weak passwords
You’d expect the issues to be a little more complex but hackers target the weak. Why would they waste their time spending months cracking into big multi-national companies when they can take control of a multitude of small businesses easily?
The above problems can be solved without a huge amount of know-how and can subsequently save you a lot of hassle and money.
Our scanner checks for a multitude of vulnerabilities and is regularly used by businesses of all sizes. We really care about security and we wanted to give people the opportunity to make sure their environment is safe. Some of the issues/vulnerabilities we check for include:
- Credit card hijack
- Cloud harvester malware
- Unprotected version control
- Outdated software
- Default/admin location
- Magento shoplift
- Magmi vulnerability
- Exposed development files
- Exposed API
- Magento backdoor trojan module
- Security patch 6285 (XSS, RSS)
- Security patch 6482 (XSS)
- Security patch 6788 (secrets leak)
- Security patch 7405 (admin takeover)
- Security patch 5994 (admin disclosure)
- Malware scanning
If you’re concerned about whether your website is running out of date software, harbouring malware or vulnerable to any of the above attack vectors, please try our scanner for free. No download required, just type in the URL and away you go. Find the link below.