The Federal Office for Security in der Informationstechnik (BSI) has information that currently at least 1,000 German Online-Shops from Online Skimming are affected. Benefit from this Cyber-criminal security vulnerabilities in outdated versions of the Shop softwareto introduce malicious code. This code then spies out the payment information of the customers during the ordering process and transmits it to the perpetrators. Affected are Online-Shopswhich are based on the widely used Software Magento based.
The infiltrated code and the associated data outflow is usually not visible to users. The BSI currently has no information about the extent of the payment data already released by these attacks.
Based on an analysis carried out by a developer of security tools for Magento, in September 2016 almost 6,000 of Online Skimming concerned Online-Shops identified, including several hundred Shops German operator. CERT-The Federal Government thereupon informed the respective responsible network operators in Germany of the affected Online-Shops. According to current findings, this infection has not yet been removed by many operators or the Server have been compromised once again. The vulnerabilities in Magento exploited by the attackers were exploited by the shop operators despite existing Software updatesapparently not closed. This allows Cyber-criminals to continue to spy out payment data and other personal data of customers entered during orders. The number of currently known affected Online-Shops in Germany has risen to at least 1,000 as a result.
The CERT-Today, the German Federal Office for Information Security (Bund des BSI) has again informed the responsible network operators in Germany about the Online-Shops in their networks and asks Providerto forward the information to their customers (shop operators).
"Unfortunately, it is still apparent that many operators are very negligent in securing their online shops. A large number of shops run with outdated software versions that contain several known security holes".
explains BSI President Arne Schönbohm. "Operators must live up to their responsibility for their customers and secure their services quickly and consistently".
Liability of the shop operator
Under Article 13(7) TMG are operators of Online-Shops is obliged to maintain their systems in accordance with the state of the art to protect against attacks. A basic and effective measure for this is the regular and quick installation of available security updates.
The BSI points out at this point that the obligation to secure systems is not only for companies, but also for all other business operators of Websites applies. This also includes, for example, websites of private individuals or associations if their operation is intended to generate income on a permanent basis. This is already assumed if paid advertising in the form of banners is placed on websites.
Operator of Online-Shops based on Magento can be used with the free service MageReport check whether your shop system has known security holes and is affected by the current attacks. Detailed information on how to fix each detected problem is provided.
