Cybersecurity Insights

Benjamin Hosack

Magento Websites: How is the security health of your website?

10/07/17 16:40
Cyber security is a hot topic, with articles appearing most days within the mainstream media. stethoscope.png As consumers, we’re all becoming more cyber-aware as we see the latest well-known brand in the headlines for having lost their client data.

Most of us will have been affected by a credit card breach within the last few years - I can’t imagine there could be many people in first world countries who have not had their credit / debit card details stolen and received a replacement card from their bank. It's a major hassle - stressful and a huge waste of time.

Where does our credit card data get stolen from?

The short answer is: anywhere we use our credit cards.  And anywhere that handles our credit data.
  • Hotels
  • Restaurants
  • Banks,
  • Retail shops
  • Call centres
  • eCommerce websites 
and many other places too...

We’re one of the leading forensic teams globally - we help a lot of businesses to find out how they were breached, how much got stolen (occasionally we can identify who stole it) and then we advise on how to fix the problems.  We're not aware of any sector in the payment card industry that hasn’t had a breach and we've assisted organisations across the whole spectrum - from Regional Central Banks through to small eCommerce businesses.

The thing is, while we’ve seen breaches across all sectors, the trend over the last few years has most definitely been towards eCommerce websites. In fact, eCommerce websites now make up the bulk of our team’s work. We’re not talking about well-known brands only - we’re seeing eCommerce businesses of ALL sizes getting attacked, hacked and ransacked.

We have a major problem in the payments industry.

What is going on?

Back in April 2017, after seeing a spate of new attacks on Magento websites, we decided to scan a batch of 60,000 websites using our WebScan technology and the results were VERY interesting:
  • 78% of the websites were missing critical security patches. Some dating back to early 2015.
  • > 5,000 were definitely hacked and we could see the harvesting malware actively stealing payment card data.
After speaking with several leading Magento Agencies in the UK and US, it seems there are a couple of issues that the market is unaware of:
  • Fact: These sites are not being maintained. 78% are missing critical security patches.
  • Whoever is managing these sites, either:
    • does not understand security. 
    • or perhaps a more forgiving stance would be that they do not have their eyes on the security of the websites?
    • or perhaps they are simply not being paid to keep the sites updated, so they don't.
  • The owners of website do not understand the implications of a data breach on their business (if they did,  they would be insisting on the sites being patched at the very least).

For the 78% that are missing critical security patches, a few very simple steps could completely change the risk profile for their business.

The other interesting observation we had - and it is an obvious one given the data - was that website owners simply do not know how secure their websites are.

Website Security Health Check


For that reason, we have decided to launch a Website Security Health Check to help eCommerce business owners understand how “healthy” the security posture of their website is. 

The Website Security Health Check includes:

  • A detailed external vulnerability scan - quite similar to a PCI scan, only more detailed.
  • An Internal Scan of the website using our FGX-Web tech. This will identify if there are Indicators of Compromise - webshells, backdoors etc. It also monitor other key data points within a website such as changes, access logs, unprotected payment card data.
  • Analysis of all scan results by one of our Threat Intelligence Analysts.
  • A full Website Health Check Report will be produced within 7 days - with results and guidance to address any problems.
  • 30 days of website protection and monitoring. We provide a fully functional FGX-Web Managed Service (delivered by our team of Threat Intelligence Analysts) for 30 days to protect and monitor the website.

We’re selling this service for only £250

Considering the time, knowledge and experience that goes into delivering the service, we believe that this offers huge value to any Magento website owner (especially to the small-medium sized online businesses who make up the majority of the 78% listed above).  If you are not 100% certain of your website security status, this would be £250 very well invested.  

If you, or anyone you know, may be interested in getting a Website Security Health Check, please get in touch with us and quote “FGX-Web Blog” for £50 off.

Guided Website Threat Review