Web Services Security, E-Commerce Security news, articles & updates| SC Media

Web Services Security, E-Commerce Security

Massive Magecart attacks steal personal data from Magento 1 stores

An automated campaign Magecart campaign against 2,000 Magento stores over the weekend compromised the private information of thousands of customers and may very well be the largest attack of its kind since 2015. The hacks were typical Magecart attacks, but since many of the stores victimized had no prior history of security incidents, “this suggests…

Attackers could exploit flaws in MAGMI Magento plugin to hijack admin sessions

A duo of vulnerabilities discovered in the MAGMI Magento plugin could result in remote code execution (RCE) on vulnerable sites using Magento. The flaws in the Magento database client used for raw bulk operations on online store models were found by researcher Enguerran Gillier, a member of the Tenable Web Application Security Team, according to…

Adobe mends critical code execution flaws in Magento

Adobe this week released a security update fixing four vulnerabilities – two critical – in its Magento Commerce 2 and Magento Open Source 2 e-commerce platforms. The two most significant bugs are identified as a path traversal flaw (CVE-2020-9689) and a Security Mitigation bypass (CVE-2020-9692), both of which can result in arbitrary code execution. The first issue is credited was reported by…

Twitter hack is a reminder of the dangers of unfettered employee access

Twitter’s acknowledgement that a “coordinated social engineering campaign” involving multiple employees was behind a hack of prominent verified accounts raises significant questions as to whether business organizations are implementing effective security controls that limit potential insider threats’ access to back-end administrative tools. The hacking incident — which promoted a cryptocurrency scam and victimized the accounts…

Hackers for Charity

Exposed dating service databases leak sensitive info on romance-seekers

A series of database misconfigurations publicly exposed the personal information and private messages of more than 100 million dating website and mobile app account holders. Independent VPN review site WizCase has reported finding six separate dating sites or apps that each potentially compromised thousands of users due to improper data storage. According to WizCase researchers,…

Magecart skimmed from Claires.com for nearly two months

International retailer Claire’s, whose fashion accessories are popular with tweens and teenagers, was hit with a Magecart scheme that skimmed PPI, including credit card data, for nearly two months. Discovered by researchers at security firm Sansec, the malware injection began on April 20 and stopped on June 13. The skimming began on March 20, the…

Retail & IT Security

Magecart skimmer strikes Fitness Depot at checkout

A Magecart credit card skimmer scheme used on Canadian fitness equipment retailer Fitness Depot’s e-commerce system Feb. 18 affected an undisclosed number of customers requesting either at-home delivery or in-store pickup at one of the company’s 40 stores. A bogus form placed on the Fitness Depot website managed to capture names, addresses, email addresses, telephone…

Test platform leaks Bank of America clients’ Covid-19 PPP loan applications

Bank of America has disclosed that it briefly exposed certain business clients’ Paycheck Protection Program (PPP) applications to outside parties after uploading the documents onto a test platform. The incident bears similarities to the recent news of at least states mistakenly exposing application information related to the Pandemic Unemployment Assistance (PUA) program. Both the PPP…

Next post in Coronavirus