Idiot e-tailers falling for fake patch that exploits year-old Magento hole Malware researcher Denis Sinegubko says attackers are compromising and stealing credit cards from online shops that run on eBay's Magento platform by masquerading as an applied patch for a nasty bug in a bid to hide from admins. The dangerous "shoplift" bug patched last year is a remote code execution hole that turns hackers …
I like this part: "The malware will harvest customer credentials and credit cards using different components, encrypting the data immediately before it is woven into a realistic-looking jpg."
I don't quite feel that e-tailers are idiotic here. Social engineering ain't exactly something people are good at detecting even after they've been trained. Repeatedly. Humans are usually inclined by nurture to be cooperative (ignoring nature). I'd say they're being human.
Inclined to agree with human comment, after all this is why society works and what used car salesmen are trained to abuse.
Should've patched from the sources etc., but in a world where people click on a line drawing 'get a flatter x or bigger y with one wierd tip' adverts, we know people are gullible.
The internet used to be like the Wild West, real frontier land, now it's like Vegas.
..... is that the researchers and the journalists rarely give any info that will be useful to me, to help me avoid having my cc details stolen.
OK, so there are lots of sites that are vulnerable - how can I tell when I'm shopping online if that applies to the one I'm currently looking at?
Without that information, this article is useless to me.
It's hard to usefully give that info. Magento is very popular, so there are tens of thousands of sites that use it. As a result it's not practical to give a list of affected sites, not to mention the possibility of legal threats or action if someone publishes a list of vulnerable sites.
The usage of Magento is detailed here (linked from the report):
http://w3techs.com/technologies/details/cm-magento/all/all
It's also hard for an individual user to determine whether a given site is vulnerable - the w3 analysis site uses a lot of aggregate data:
http://w3techs.com/faq
Only websites that prefer to take card details on their page or via iframe, instead of redirecting customers to payment vendor secure page are affected by this hack. And in those scenarios they should be compliant with PCI-DSS. Unless hackers would send you to a fake payment processing page, like pay.poopal.com.
So watch the URL and use credit card instead of debit for online purchases, as banks resolve fraud issues quicker with money that belongs to them.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
