Magento 2.0 Payflo Pro Hack – How to Fix
Magento is in the news again, not for the right reasons. The checkout was compromised and used to check the validity of the card data. A couple of e-commerce stores we manage came under attack too, and we were taken by surprise with the lack of swift support from Magento. I think post 2.0 there was clear evidence that Magento is fast leaving the Community addition out to fend for itself. The business ethics of moving from opensource to SAAS or lack thereof is a topic for another discussion.
The Attack/Vulnerability is well covered https://www.zdnet.com/article/hackers-abuse-magento-paypal-integration-to-test-validity-of-stolen-credit-cards/, and there have been few suggested remedies for that. One of the immediate issues related to this attack is that most likely paypal is going to block your Store IP. Since the multiples of these carding attempts come from your store, paypal is well within its rights to prevent you and their gateway.
If you have tried using Paypal support before you know it can be frustrating. Hence following are the few things that you can do to try and fix the issue.
- Check your website for the latest updates and patches. You can perform an online check at https://www.magereport.com/scan it’s a comprehensive test and provides a useful checklist of things to fix.
- Use Fail2Ban to protect from IP addresses trying to attack the site multiple times. You should install fail2ban first and add the following snippet to /etc/fail2ban/jail.local
- Using WAF ( Web Application Firewall) to prevent such attacks from happening in the future. Just FYI the Magento cloud comes standard with a WAF so another reason to feel a little sad about your opensource version. However, you can install third-party WAF’s like wordfence etc.
Only ban after multiple retries.
Use this for “soft” bad behaviour.
port = http,https
filter = hn-nginx-retry-ban
logpath = /var/log/nginx/access.log
bantime = 7200
maxretry = 10
And this in /etc/fail2ban/filter.d/hh-nginx-retry-ban.conf
Use this for “soft” bad behaviour, as the source will only be banned after multiple retries.
failregex = ^<HOST> .+”POST \S+wp-login.php
^<HOST> .+”(POST|GET) \S+/etc/passwd
^<HOST> .+”POST \S+(/downloader/|/downloader/index.php\?A=loggedin|/admin/index/|/admin/)\s
- Magento community has come up with a module to help with Google Recaptcha. its been advised as a good way to block the attack.
Magento still seems to be a good E-commerce engine but that belief is fast fading, Shopify and Bigcommerce are knocking right at the door for being a credible and an alternative with far fewer headaches. If you still want no strings attached relationship there is Woo Commerce which seems pretty good too.