eCommerce Risk with Exposed Admin Login Panels

Our latest eCommerce ThreatScape Report showed that over 22,000 eCommerce sites were hacked with digital skimmer or digital loader malware designed to steal payment card data from the eCommerce websites' clients.

Through our experience as a part of the Foregenix forensic practice we are also aware of the issues that are consistently present in hacked eCommerce sites - one of those issues is that the login panel for administration of the sites is often left publicly and easily accessible, either through easy to guess URLs (like www.yoursite.com/admin) or unpatched vulnerabilities.

While this is not an immediate threat, an exposed and obvious administrative login panel can make it significantly easier for attackers to breach the site, especially if access controls are limited to username and password combinations alone. This situation allows for simple brute force attacks, signing in with compromised credentials/obtaining credentials, or in the case of unpatched systems, access by exploiting vulnerabilities. Even in cases where the admin login panel URL is complex and hard to guess, path disclosure vulnerabilities can be used to locate it.

In analysing the data in our latest report, we discovered that nearly 1,800 of the hacked sites we detected in the last scan had their admin login panel in the default location, making a brute force attack on these sites simple to execute and classing them as "low-hanging fruit" for criminals.

We recommend 3 steps to reduce risk of attack via the admin login:

1. An immediate way of reducing the risk of this type of attack is by obscuring and restricting access to the admin login panels. In the case of Adobe Commerce/Magento 2 the admin panel location can be changed within the env.php file and within the local.xml file for Magento 1 (and, unfortunately, yes we still see MANY Magento 1 sites getting targeted and compromised by criminals).
2. Restricting access so that only whitelisted IP addresses can access the login page, which can be done through access configuration files (.htaccess for Apache servers and nginx.conf files for nginx servers) or by using a Web Application Firewall.
3. Multi-Factor Authentication is the 3rd recommendation and will provide a huge return in terms of risk reduction.  As annoying as these may be (as we are often told by our developer partners :-)), implementing multi-factor authentication can provide significant security benefits and can be a very low/no cost solution to significantly reducing risk for your eCommerce website.  

If you are unsure about what your website's current risk exposure may look like, please use our ThreatView Community service - a free website security scanner incorporating all of our forensic experience and malware fingerprints.  

You can get access here:

CHECK YOUR SITE SECURITY

‍