Cybersecurity Insights

Isabel Louisa Rawlings

Over 75% Of Global Magento Websites At High Risk Due To A Simple Oversight

13/03/19 17:46

Security scans and analysis on over 170,000 Magento websites (the most popular e-commerce platform globally) revealed that over 75% are at high risk from cyber criminals, with a further 1% being at critical risk.

Our latest global survey identifies the most significant vulnerability for SMEs is hackers looking to exploit the absence of critical security patches.

Anatomy-of-a-Magento-Hack-743984-editedWe found around 90% of websites using Magento 1 were at risk across all regions, with South America and Africa registering higher than average risk figures. However, the figures fell sharply for all regions to around 40% for Magento 2 websites.

The global analysis also revealed that 1.5% of sites surveyed (2,548) were infected with malware. Out of these infected sites, 1,591 were compromised by credit/debit card stealing malware which is actively harvesting their customers’ sensitive data for subsequent sale and/or fraud.

A further 2.3% of all websites are vulnerable to Magento Shoplift, a vulnerability which was disclosed and patches made available in January 2015. This allows hackers to completely administer the website remotely, steal sensitive data, and even order items for free through a single exploit command which is publicly available.


The research was unveiled for the first time at Payment Card Industry Security Standards Council European Community Meeting in London. Foregenix CEO, Andrew Henwood, said: ‘The issues highlighted are a truly global problem, which threatens to undermine confidence in eCommerce, especially in markets leading the way in online sales such as the UK and US. Repercussions as a result of compromises are heavy penalties by card providers and these put many smaller traders at risk.

‘Magento and other eCommerce platforms release regular software updates in response to vulnerabilities. These security patches, if not used, can leave websites highly vulnerable to hacking and loss of sensitive data.

‘Online businesses often assume web developers, agencies and hosting providers take care of security. Design agencies are great at producing beautiful, transactional websites that sell their wares, but their expertise on security issues generally isn’t as well developed. Agencies and their clients need to be aware of eCommerce security issues, as even a single breach can be devastating for a small business.

‘Simple precautions can make a real difference to reducing a company’s risk from criminals such as regular patching, changing default settings on the administration interface, and using stronger passwords with multi-factor authentication. Risk can never be entirely eliminated, so companies should also consider investing in a partnership with a cybersecurity specialist organisation and a cyber insurance policy.‘

Any business that wants to know whether its website is secure can scan externally for free, using similar technology that detected the issues above using the link below

Scan Your Website Now

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More