Hack online shops. Real case from Default Value

April 18, 2023
8 min
security for ecommerce

Hack online shops. Real case from Default Value

Hacker attacks always cause huge losses for online stores and pose a hacking threat for buyers. Loss of money, customers, suppliers, and their trust. Agree, such consequences from hacking a store in which you have invested so much effort is at least a colossal headache. Or, rather, a disaster. And all of these can happen to anyone if they don’t find a company that has their back and makes sure the hackers don’t get to their site. More often than not, large companies are targeted by attackers, but this does not mean that owners of small and medium-sized businesses do not have to worry about security for eCommerce. 

At Default Value, we understand this problem very well because we have seen more than one hack of an online store. What we can say for sure is that we always find the vulnerabilities that made this hack possible. And, of course, we take all necessary measures to ensure it doesn’t happen again. Most often, the reason is a lack of timely updates and investments in project security. If we still have not been able to convince you of how dangerous hacking is, here are some statistics.

Hacks of online stores happen very often. This is nothing less than our reality. Gitnux estimates that global eCommerce fraud losses will reach $48 billion by the end of 2023, up 16% from last year. That said, it’s important to note that the most common types of fraud in eCommerce are identity theft (71%), phishing (66%), and account theft (63%), with credit cards being the most popular target.

In this article, we will discuss not only how hacking attacks on eCommerce sites happen and how to prevent your store from hacking but also share with you a case from our practice that particularly stands out against other hacks. Let’s go!

Why do online stores get hacked?

So why do online stores get hacked? Most often, there are two reasons for this. The first is that hackers are trying to break the site through DDoS attacks so that it simply stops working, which brings discomfort to users and owners—a kind of digital vandalism. 

A second option is when a site is hacked to steal money or user data. And what is much more interesting is which online stores are often hacked: those whose owners have not invested in timely updates to their platform and security. 

For example, a new version of Magento has been released. A year or two has passed since the previous version. On the official website, as a rule, they will write, “We have released new security patches and covered the following vulnerabilities…” Hackers already know all its weaknesses if the site is still on an old version of Magento. And the longer the owner delays updating, the more vulnerable their store becomes. And the more money, time, and nerves you will spend on retail cyber security in the future.

eCommerce has been hacked

How do you know if your eCommerce site has been hacked?

So, let’s assume that your site has been hacked, but you haven’t received any demands for a ransom. How do you know if there’s been a hack? 

A list of possible “symptoms” may include:

  • The checkout page has additional fake forms that cause you to notice a decrease in sales 
  • Search engines blacklist your Magento store
  • Hoster suspends your site
  • The files on the server have been changed
  • Malicious redirected links appear on your site
  • Your admin panel is corrupted, or you have a blank screen after logging in
  • Your store’s website is running slowly and giving error messages
  • New, unauthorized admins appear in the users list
  • Google shows spammy keywords in search results for your site
  • Customers report stolen credit card information
  • Customers notice errors in your site

It should be noted that the last two are the most painful for the store because they undermine customer confidence. 

Magento hacking

In addition, a lot depends on investing in the security for eCommerce. It is not a one-time effort. It is a process with constant monitoring. The site should be systematically updated, and logs and security issues—checked. Hackers may not come to you today or tomorrow. But they will definitely come the day after tomorrow. And you have to secure your business in advance against possible interference.

Magento is popular with hackers. How and why is Magento being hacked?

So why do online stores on Magento so often become the target of hacker attacks? The answer is simple: money and personal data of customers to trade with. Hackers also have the option to encrypt the data on the server and extort money for their return.

There are many ways to hack a Magento site. Let’s consider the most frequent ones. 

DOS/DDOS attacks

An eCommerce website is visited by a huge number of users and their requests on a daily basis. After all, a day of downtime may cost the owner a lot of money. 

This situation can be created deliberately, for example, during sales or holidays. The scheme is simple: to create conditions in which the server can not withstand the load. DOS attack provides for many requests from a single IP address. Most likely, your firewall will block such manipulations. In the case of DDOS, an abnormally large number of requests from multiple IP addresses are sent, which the firewall may not recognize as an attack, but as ser requests that it will try to cope with. But here, the logic is obvious: if the site can pass 100Mbit/s, it simply can not cope with 1Gbit/s traffic. Even autoscaling without the proper protection may not help or will result in incredibly high hosting costs.

SQL Injections

Simply put, the SQL-injection—is an attack on the database to get profit. On any site, there are contact forms where the user enters their data—it can be personal data in the form of the phone number, email, and name, and sometimes—information about their bank card or document (passport, ID code).

eCommerce broked

The data entered by the user is stored in the database on the server. A hacker just needs to find an unsecured contact form to inject a piece of code that will change the return logic of the request. This way, they will intercept the data that a user enters.

Spyware viruses

The website of any online store has a chat room where you can communicate with the manager: you can address a problem, ask a question, and even show it by uploading a file to the chat room. To open a text document, the manager would have to click on the file, which would be automatically downloaded to the computer.

In this way, a virus can be transmitted that will, for example, monitor all movements on the keyboard, from entering passwords to email, cloud file storage service, and access to the store’s admin panel. And the employee may not even know that the file has been infected. 

Case Study: How was our client’s eCommerce hacked?

Here is a real example from our practice. One of our clients, the owner of an online store, noticed that sales had dropped significantly. In this case, the fraud scheme was more interesting and sophisticated than a dirty DDOS. The hacker added a fake account for Google Tag Manager via Magento configurations. And through it, the malicious JavaScript code was already loaded, creating a false form for entering the data of a bank card to pay for the purchases. 

features of hacking

It turned out that all the scripts on the site looked normal to us as programmers. But here, it was important to remember this: Google Tag Manager has a feature that allows you to add additional JavaScript code to the page.

How we discovered the hacking of the online store

How did we investigate this? When we were told that something was happening on the site during the payment process, we first checked the Magento code. There was nothing wrong with it. We made sure that there was no malicious script in the database either. After that, we began to deal directly with the payment form. 

At first, we tried to find this exact payment form in the code of Magento itself or the database. And when we couldn’t find it, it became clear that some additional bad Javascript code did it. Then we began to search what scripts are loaded on the payment page, filtered them by domains they are loaded from, and found an interesting script, which file had a .css extension. It is essential to clarify that JavaScript files have a .js extension, so seeing a .css file there was very strange.

When we looked at it, we realized that the file was encrypted. It was not just open-source code that could be read. It became clear that this was where the source of our problems was hidden. The client confirmed that he had Google Tag Manager accounts. But the particular one we found didn’t belong to him. Bingo! We found it and deleted it. 

discovered the hacking

We have to hand it to that scammer—often, they embed malicious code on the site directly, but the hero of our story chose a more interesting and, dare we say it, elegant scheme.

Which methods help to prevent such hacking problems and improve security for eCommerce?

What does Magento have to do with it? The point is that it (especially its latest versions) has such a great feature as configuring CSP—content security policy. This is a special security mechanism with the help of which you can protect yourself from content injection attacks, such as cross-site scripting (XSS). It is particular data that the web server sends with each response to the browser to tell it where to download certain resources—files, videos, fonts, JavaScript, etc. The browser will automatically block loading data from the sources not on our list. CSP is what should be on any site to, first, prevent malicious content from downloading, and second, even if it did happen—it will not send the data from your site back to hackers. This is our first outpost of defense against hacks.

The second important thing is firewalls. If possible, the online store site should not be directly accessible from the web. The role of the firewall is to filter the traffic and check if there is harmful content (e.g., a virus file) on certain pages that people try to send you. Along with the CSP, this is a beneficial practice.

helped to solve the hacking problem

The third thing you can do is to ask developers to disable adding JS via the Magento configurations. And even the default Magento checkout is designed with security in mind because it does not contain additional CMS blocks to inject malicious scripts. Thus, compromising your Admin Panel access will not make the checkout process vulnerable.

Conclusions. The main points for the safety of eCommerce projects

So, today, we have taken apart an exciting example of what scammers can do to an online store’s site. What conclusions can we draw?

  • Update Magento to the latest version—don’t tell fraudsters where your site is vulnerable. 
  • Use firewalls and CSP—this is a must-have for any site, not just for Magento. 
  • Monitor your online store for suspicious activity or content on time—do not wait till your clients tell you that something on your site is going wrong. 
  • Having a permanent technical partner for backup.

Better yet, seek help on the above points from professionals—an agency that will take on the tasks of timely updates to the store, checking and fixing vulnerabilities, and applying all necessary security measures. In other words, a partner who will save you from headaches long before they occur, so you can focus on developing your business.

It is cheaper to invest in timely checks compared to the possible losses your business may incur in case of a hacker attack, not to mention the trust of your clients and simply your nerves. 

At Default Value, we value (yes, forgive us that tautology) long-term and trusting relationships with customers. Need to update Magento? We’ll update it. Need to fix a bug on a site urgently? We’ll do it, even if we have to wake up in the middle of the night. So do not be afraid to invest in your own security—trust this business to professionals.

Written by

Table of Contents