Cybersecurity 101 for Adobe Commerce

Need help with your integration?

Protecting your Digital Storefront: Cybersecurity 101 for Adobe eCommerce

For many, the first months of the year are a time to plan upcoming initiatives and endeavors. Although not nearly as exciting as new product offerings and integrations providing increased capabilities, have you prioritized cybersecurity throughout these plans?

 

Cybersecurity is like physical infrastructure: few people get overly jazzed about road construction, yet it’s a necessity. Most consumers probably don’t choose their online retailers by figuring out your cybersecurity implementations to see how protected their data will be.

 

However, data breaches and incidents that earn your digital storefront a poor reputation when it comes to cybersecurity will have your customers speeding away. For Adobe Commerce, what are the top threats and what can you do to protect against them?

eCommerce Cybersecurity—Causes for Concern

There’s a trio of eCommerce cybersecurity statistics released in 2021 that you should know—and if you aren’t already sitting down, you may want to. According to research conducted by cybersecurity company Imperva:

When many people think of cybercriminal activity, scams like “phishing” often come to mind. These attacks remain a threat that will target your staff, but your Adobe Commerce site must be able to identify and deter bot attacks.

 

One aspect that makes bot attacks so difficult to defend against is their varying levels of sophistication, as the most advanced bots can mimic organic mouse movement and clicks, among other techniques, to evade detection.

Motivations Behind Attack Bots

On top of evasive attack bots, the diverse motivations behind their usage significantly complicate how or what to defend. For example, cybercriminals may use bots to steal or target:

Magecart—An Magento Cybersecurity Example to Learn From

In recent years, one of the most infamous cybercriminal groups to target eCommerce—and Magento (now Adobe Commerce), in particular—has been “Magecart.”

 

The name, which refers to both the group and the injected code that serves as their standard attack method, is even a portmanteau derived from “Magento” and “shopping cart.” This is due to one of the group’s most devastating attacks, which was executed on online retailers still utilizing Magento 1 in summer 2020 despite its then-new status as legacy software.

 

Upon reaching “end-of-life,” over 2,800 eCommerce storefronts relying on Magento 1 fell victim to the widespread Magecart attack. In this instance, referred to as “Cardbleed,” Magecart exploited a “zero-day” vulnerability to connect to the admin panel and deliver malware. “Zero-day” refers to cybersecurity vulnerabilities that are unknown by the software provider and support community or that are known but lack a corrective patch or update.

 

Once Magento 1 became legacy software and no longer received updates, the hackers struck.

Magecart’s Techniques

Magecart’s techniques generally involve JavaScript (JS) injections—mentioned above as the most common OWASP-defined threat according to Imperva’s statistics. Magecart injections collect payment information via e-skimmers. Some injections rely on bot-driven deployment, and most target third-party payment integrations on eCommerce sites.

 

After cybercriminals have obtained stolen financial data, their activity often progresses to bot-driven “carding” efforts to determine the information’s viability.

Evaluate Your Integrations and Their Providers

By targeting commonly used integrations, or the “software supply chain,” Magecart can bypass your cybersecurity and compromise your site via third-party connections. All of your site integrations must be thoroughly evaluated pre-implementation to ensure the coding and provider should be trusted.

 

If you’re an eCommerce business still operating on Magento 1, contact us to discuss migrations options to the current 2.4 version for significantly improved cybersecurity.

“Carding” Explained

Carding is the verification method many cybercriminals use to determine whether stolen payment card data can still be used. To do so, the stolen card numbers are used on eCommerce sites, typically via small-value purchases. Criminal activity aside, you stand to suffer from financial and related penalties if your digital storefront is used to perform carding, as hackers will commonly file chargebacks and similar disputes.

 

Since cybercriminals are attempting to check large card volumes, bots are usually employed to automate carding efforts.

Signs Your Site is Targeted for Carding

If you’ve noticed the following suspicious activity occurring on your eCommerce site, cybercriminals may be using your payment processing for carding:

While some transactions may inadvertently give off the implications of carding, having to assess potential false positives is substantially more secure than risking your site hosting active criminal activity.

How to Secure Your Adobe Commerce Site—A Quick Checklist

Adobe regards cybersecurity as a “shared responsibility model,” in that digital storefront operators bear certain responsibilities to safeguard themselves.

 

Guidance documentation regarding cybersecurity best practices for Adobe Commerce / Magento functions as a quick checklist you can follow to better ensure your site’s security:

Periodically running through this cybersecurity checklist and following the Adobe Magento Best Practices Guide will help deter cybercriminals from targeting your eCommerce site. If you need help with secure configuration or implementation, we’re here to help.

Your PCI DSS Compliance

You should keep in mind that, while Adobe lists the above as cybersecurity “best practices,” some are explicitly stated requirements of the Payment Card Industry Data Security Standard (PCI DSS). For example, changing all vendor-supplied security configurations and passwords and partnering with an approved third party to perform quarterly vulnerability scans are both included within the PCI DSS’ 12 Requirements and numerous sub-requirements.

 

The PCI DSS applies to any organization collecting, processing, transmitting, or storing cardholder data. Therefore, all eCommerce merchants must adhere to the compliance framework. Importantly, regardless of any third-party service provider’s own PCI DSS compliance, your organization also remains culpable should a breach of cardholder data occur—even if the provided service is identified as being at fault.

 

We can’t stress evaluating your integrations and providers pre-implementation enough.

 

While PCI DSS compliance efforts may seem burdensome, strict internal enforcement will significantly bolster your Adobe Commerce / Magento site’s security—in addition to helping you avoid non-compliance fines and penalties.

Secure Your Adobe Commerce Site with DotcomWeavers

Unfortunately, cybercrime is all too prevalent, and online retailers are no exception. To best protect yourself, you need to remain up-to-date on the latest threats and vulnerabilities you face, as well as ensure that all cybersecurity measures have been implemented, configured, and continue to operate properly.

 

Adobe’s own documentation and the PCI DSS compliance framework provide two of the best guidance materials you can reference.

 

Outside of explicit cybersecurity solutions and services, DotcomWeavers will develop, launch, and support your eCommerce site without exploitable loose ends. Our 14-year track record of success and achievement as a Silver Partner within the Adobe Solution Partner Program (SPP) are a testament to that.

Schedule your free strategy session

Schedule a free consultation with one of our eCommerce strategists

Name(Required)