No software is safe from getting hacked. eCommerce software can be wide open to certain types of mass attacks as stores are generally set up on platform templates.

A good example of such mass attack is a recent incident in which 90,000 osCommerce stores were hit, a report by Armorize claims. Attackers managed to inject a dangerous code that could potentially harm shoppers.

By exploiting a bug in the client software (Internet Explorer, Adobe PDF and others) attackers could inject crafted JavaScript into osCommerce code and remotely execute a file that would infect the shopper’s system.

Sounds like a nightmare? It sure is for the retailers who don’t respond to such threats rapidly. Getting blacklisted by Google (as a dangerous page) and/or having your e-commerce site discredited in web browsers (through red alerts) can make you lose all customers and credibility.

If such embarrassment isn’t enough, you could potentially face litigation due to the damages the worm could incur on the victim’s computer. After all, it is you who shared the malware.

Users of the OpenX ad server platform faced a similar yet more serious problem. Malicious code was injected into all pages that featured their ad codes.

What steps should be taken after a breach?

While osCommerce developers released and suggested an upgrade to the latest version, OpenX wasn’t patched for quite a while. Not all open source software is updated regularly, and not all software is equally safe.

If your site is detected to be spreading malware it will automatically be marked as an Attack Site. Do you really want this message to be seen when someone enters your website?

Many entrepreneurs enter the e-Commerce world with a clear focus on the business and profit aspects (and that’s good) but appear to clearly neglect technology and basic protection against worms and malwares (and that’s definitely not good).

Technology is a lot like insurance. Most of the time you shouldn’t worry about whether you have it, and choosing secure technology for your e-Commerce site should minimize the risk of having your site compromised.

e-Commerce safety is much more than just simple SSL and payment gateways (which ensure you don’t have to store and manage credit card details):

Here is a checklist that should help you minimize the exposure to malware.

  1. Is the software you are using constantly updated and upgraded (check update release frequency, and release dates)?
  2. Does the software vendor offers commercial support (even if it’s open source)? Do any third-party offer commercial support, or can support and maintenance be purchased from the experts?
  3. Does the tech support include regular updates and upgrades (according to the vendor’s security changelist) and backups?
  4. If your budget allows it, does the tech support include SLA (e.g. 6 hours for critical errors)?
  5. Does your software have good reputation among developers?
  6. Is data backup schedule and storage appropriate (error and exploit discovery usually takes days, so you need to be able to restore the system to the correct previous state)?
  7. Have you performed security test on your e-Commerce? Basic penetration testing (XSS, CSRF, SQL Injection) is rather simple and can be automated?

These simple steps will help your improve your business’ online security. They are often used as a basis by IT team in emergency situation with large projects.

Just as in life, you can’t eliminate all the danger but it’s good to at least be aware of it. Security awareness is a good start. So it’s important you sit down and have a chat about security with your IT team.

Are you interested in learning more about the security of your online store? Contact us for more info!  

Piotr Karwatka

CTO at Divante eCommerce Technology Company. Open-source enthusiast and life-long builder. Co-founder of Vue Storefront and Open Loyalty. Now gathering engaged communities around new technologies. | LinkedIn | Twitter

Share your comment