With the approaching end-of-life date for Magento 1 security patches, it might come as no surprise that hackers are already identifying and exploiting vulnerabilities in the system. But the latest threat isn’t, persay, new. The threat is three years old.
The Magmi plugin was popular for many Magento-built stores, as it allows for easy mass import of products. But a new hole in that plugin’s structure may allow the right hacker to place malware on your site. The malware is used to perform, what the FBI calls, web skimming. Think about similar physical technology that was popular with thieves at gas pumps over the last 5 years. A user would swipe and never know a ‘skimmer’ was in place. The result was a successful transaction, while also giving your credit card information to the thieves.
The simple fix: update the plugin. Magmi 0.7.23 is said to fix the vulnerability. But even still, this is only a vulnerability as it relates to Magento 1. So those already on Magento 2 can rest easy. But don’t take this too lightly. If you might be at risk, you need to take steps now to prevent future risks. Magento 2 will do it or alternative options are possible, including malware-detection software and changing to a more secure, up-to-date host.
And why is this important, especially when a simple update will solve the problem? Because this is the first of many to come. As Magento 1 support ends, more and more hackers will create ways around the established barriers. So you need to react and protect your store Magneto 1 store while you are still on it.
The biggest thing that will be missing when Adobe drops Magento 1 support is the patches. Patches, as the name would indicate, are fixes for possible system holes (or what most call vulnerabilities). In this case, those patches were coming from the system designers themselves. Over the years, they have created many patches that have made M1 sites very secure and safe, getting better with every released fix. But what we always see when systems go to end of life, is that criminals swoop in and work harder than ever to find and exploit issues we didn’t know were there, especially while ‘no one is watching’.
As a result, you will see many development firms and content creators online saying you have to switch platforms to survive. And while that is the safest solution, it is not the only solution. Companies like Mage One have found their way into the Magento mainstream by helping companies stay on their Magento 1 stores by continuing to build and release patches for their customers. They have also found ways to create Magento community engagement through a bounty program for vulnerabilities. Essentially, they will pay people who discover holes that they can fix with a patch. This is a great way to ensure everyone in the space is working together.
Malware is one of those broad industry words that simply means malicious software. This can happen in the form of someone taking over a site and holding it ransom (known as ransomware), as well as many other things. Generally speaking, every site on every platform should be concerned with malware as the right hacker can find a way to use it against your site. But the end of life products become especially vulnerable because hackers focus more on it then, finding new ways to ruin your day, and then finding everyone like you and performing the same attack on them.
Thankfully, there are many ways to protect, or at least detect then remove malware. Our go-to service tends to be Sucuri. Under their plan, your site will get regular scans for malware which you will then be notified about. They can even remove the threat. Ultimately, any level of protection is better than nothing.
Talk to your hosting provider or start researching new ones. Many hosts are already or starting to provide Magento 1 support as part of their offering. We have strong relationships with Nexcess, MageMojo, and JetRails, all of whom provide this type of support.
Feel free to call them directly or connect with us first for a fast track. The time is now, so don’t hesitate.