Cybersecurity Insights | Blog | Foregenix

How to Recover from Magento Shoplift Attacks: A 4-Step Guide

Written by Benjamin Hosack | 6/12/15 3:28 PM

UPDATED June 2023 - we're still seeing Shoplift attacks.  Please be aware.

This is a simple overview of what the Shoplift problem is and how to re-gain control of your website.

Since Check Point Technologies announced the critical vulnerability – known as Magento Shoplift (SUPEE-5344) – we have been contacted by a significant numbers of online businesses that have been compromised through this vulnerability. 

How do you recover control of your online business?

Firstly, you need to understand what Magento Shoplift is so that you can devise a strategy to secure your online business.

What is Magento Shoplift ?

Magento Shoplift is a vulnerability that allows unauthenticated users to access administration pages on the website – and exploit certain pages via SQL Injection.

What does this mean?

It means that with this level of access, an attacker can perform admin functions, such as:

  • Adding new users.
  • Altering product data.
  • Altering the website (see our short video on re-direct payments and the compromise we illustrate in there)
  • Steal your customer personal data (email addresses, telephone numbers, account passwords, addresses, credit card data).
  • Setting your website up as a malware distributor, or worse.

In short, if you have been affected, you need to act now to protect your business as the effects could be hugely damaging for your business brand and finances.  

These are (mostly) highly effective and focused criminals with a high level of skill and technical capability – they are after your business. 

How to Protect Your Online Business from Magento Shoplift Attacks

There are 4 steps you should take immediately:

  • Patch your version of Magento - Magento released a patch in February 2015, details can be found at: http://magento.com/security-patch
  • Ensure that you build a process to update your Magento installation and third party modules at least monthly.
  • Inspect your Magento administrator user list for suspicious or unknown users and remove them.
  • Restrict access to Magento administration directories to known IP addresses, using web server configuration or a .htaccess file.

The attackers are highly likely to have anticipated you following the above steps and installed a web shell/backdoor to enable ongoing access should you successfully complete the above steps.

So how do you give your website an “all-clear for business” and ensure you are protected from future attacks?

Install FGX-Web to:

  • Filter all traffic to and from the website – blocking out further attacks and protecting your website when you’re late with future patches.  If you had this in place before the Shoplift vulnerability, your website would not have been at risk.
  • Place a tamperproof seal on the website – this will tell you when any changes occur on your website.  If you made the change – great.  If the changes were not made by you, they are likely made by a criminal.  If your website has been hacked via Shoplift, then the attackers will be using their access to make changes.  FGX-Web will tell you when those changes are made, so you know if you have ongoing issues or not.
  • Daily checks for malware, back doors, web shells.  If the attackers have access to your website, they will undoubtedly have loaded a web shell/backdoor/malware to re-gain access later.  FGX-Web will help you to find these web shells/backdoors/malware.
  • Scans for unprotected credit card data.
  • Unlimited support from our security specialist support team.

Forensic Assistance – if you need help with any of the above Foregenix is one of the leading digital forensic teams globally and we can help you.

You can check your website's current security status right now, here: