How Travers+Todd dealt with a hacked Magento 1 shop

A few months ago, our partner Travers+Todd, dealt with an interesting challenge: a merchant came to them after getting their Magento 1 site hacked and their developer was nowhere to be found… We asked Michael Travers Lee, co-founder of the development agency from the US, what steps Travers+Todd had taken to resolve the hacked Magento 1 shop and he was happy to share more details.

Security issues always come by surprise

Travers+Todd, had been in discussions with the merchant to help bring their Magento 2 shop design to life. Michael happened to have an email from the merchant one day, where they alerted him to a breach American Express (AMEX) reported to them earlier that morning. Michael: “We’ve dealt with a lot of sites that have been breached/hacked (thankfully none we built), and given we’ve also built three, secure enterprise healthcare web applications, I had some initial hunches as to where to look. Usually, breaches can be broken down to two core areas: code (i.e. filesystem breach) or content (i.e. database breach).”

Closing in on the breach using MageReport

Michael: “With a database breach, given AMEX reported they had several dozen credit card reporting frauds, it suggested the possibility that the database was dumped and perhaps dropped onto the dark web. But the merchant indicated that customers they personally spoke to indicated that the fraudulent activity occurred almost immediately after purchasing on their site. That suggested less of a one-time dump and more of a real-time attack.”

“Scanning the codebase didn’t reveal anything, so after some sleuthing on how best to do a broad vulnerability scan, I came across your fantastic MageReport! It listed several (too many) unpatched issues (again, we had not been their dev partner at that point), some of which related to server issues with the hosting environment. But one key finding in the MageReport was an entry labeled “Credit Card Hijack detected?” This immediately seemed like the kind of issue that would allow real-time hacking.”

About MageReport
MageReport is a free service created by Hypernode to give you a quick insight into the security status of your Magento shop(s) and how to fix possible vulnerabilities.

Localising the culprit in Magento

Michael: “Hopping into the Admin area of Magento, I went into the System area to find places where custom code can be injected into pages (such as the header or footer) and almost immediately found what was unmistakably the culprit. Up until that point, I had only read about the kinds of security attacks I was looking at, but the moment I saw the signature of the code it was 100% clear that it was the issue. Removing it was easy, but determining how it got there was difficult. Given we didn’t have carte blanche with how much time we could devote to forensics, I felt there were two things we could immediately do for the backend: 1.) delete all users who no longer need access, especially admin access, and 2.) change the main admin password.”

“The hack itself was disgustingly simple. Malicious Javascript in the Admin area was injected into every page on the site. The code itself looked for changes in form fields related to billing (credit card number, expiration, billing address, etc), and on each keystroke where someone would be typing their information on Checkout, the data was being taken from those fields and sent to a malicious server we could easily see. So simple and so evil.”

A happy Hypernode ending

Michael: “Since then, we moved the site to a more secure and performant hosting provider (um, can anyone say Hypernode? :), and we’ve of course patched the vulnerabilities MageReport found. And it’s probably worth adding, the merchant is now a client of ours and we’ve moved ahead doing work to get their Magento 2 shop going. So all is well now and we’ll soon be launching their M2 shop on a new Hypernode. :)”