Websites Infected with Card-Skimming JavaScript Fail to Respond to Warnings
Last updated July 6, 2021
The 1.x branch of the Magento e-commerce platform is about to reach the end-of-life (EOL), as Adobe hasn’t moved the date any further than tomorrow. The first time an EOL for Magento 1.x was announced, it was scheduled was back in November 2018. This was three full years after the release of version 2.0, so the open-source project felt that it was time to move on. Adobe acquired Magento in May 2018 and figured that there were still too many websites relying on the version that was about to be sunsetted. And so the EOL was extended to June 30, 2020, with the hope that webshop admins would hop to the 2.x branch by then.
This ample amount of time didn’t help much, though, as about 75% of all Magento stores are still running 1.x. This means that roughly 110,000 online stores are using software that will be considered obsolete and won’t get any more security updates. At this point, it would be practically impossible to set up a new store and migrate all data there quickly enough, as this should have been done months ago, if not even earlier. What these shops should do now is to act responsibly and pause their commercial activities until they have set up a secure platform.
The risks for these outdated stores and their visitors are obvious and involve hacking attacks that exploit known or unknown vulnerabilities. People who have been monitoring the dark web forums for Magento vulnerabilities report that actors have paused working on finding new ones until the EOL is officially reached. This will clear up the target lists and provide the necessary certainty for exploits’ effectiveness. Adobe released the last security updates for Magento Commerce and Magento Open Source 1.x on June 22, 2020, and warned that these were the final patches for these editions, but you never know. The affected versions mentioned there are Magento Commerce 1 version 1.14.4.5 and earlier, and Magento Open Source 1 version 1.9.4.5 and earlier.
So, what can we the users do then to protect ourselves from having our credit card details skimmed in these vulnerable sites? Unfortunately, there’s no a lot that you can do, and an upcoming wave of attacks against Magento 1.x platforms should be considered a fact now. Mastercard and Visa have also sent warnings to the owners of online stores that are still running the deprecated Magento version, but we reckon this won’t change much. In general, slow page loads, slow checkouts, and poor support for mobile platforms is an indication that you’re visiting a Magento 1.x site.