Involuntary change of payment methods.

Date: Jan-9-2008

We recently noticed that a type of attack has affected Comersus stores having vulnerable installations. The attack consists in taking control of the Backoffice and modifying the payment methods to capture credit card data presumably to use said data in subsequent fraudulent operations.

Store admins have contacted us asking if there is a Comersus function that may automatically change the chosen payment methods. If this is your case, it is highly probable that your store may be compromised.

It should be noted that a store following the security recommendations provided by Comersus in our website and our documentation should not experience any security issues.

Details of the attack:

1. The attacker enters the BackOffice taking advantage of an old installation lacking the security patches for SQL Injection or by accessing the database/comersus.mdb file.
2. The attacker logs into the BackOffice with admin permissions.
3. The attacker changes the payment method redirectionUrl to capture the credit card data (if the store has an online payment method).
4. The attacker later on connects himself to collect the compiled credit card data.
5. The attacker decrypts the credit card data.
6. The attacker uses the collected data in fraudulent purchases.

Summary of the recommendations you need to implement to avoid this type of attack

1. If you are using an Access database, the comersus.mdb file should not stay in the comersus/database default location nor should it be accessible for web download. You may contact the tech support of your hosting service to request that the file be moved out of wwwRoot. Comersus hosting services by default allow placing the database out of the public reach. Another option to protect the database is to migrate it to mySQL or SQL Server.
2. If you are using a version of Comersus older than v6 (downloaded in 2004 or previous years), we strongly advise you to update the database structure and scripts to a more recent version including new filtering to prevent SQL Injection. If it is not possible to upgrade your store because it is highly customized, you may hire Comersus services to implement security changes based on your current store.
3. If you have incorporated script modifications, please verify that the same are not vulnerable in case of a SQL Injection attack.
4. Your installation should not have any script without a purpose: if you don't need offline payments, remove comersus_offLinePaymentForm.asp. Likewise, if your store uses BackOffice Plus, remove all scripts corresponding to BackOffice Lite.
5. Your BackOffice should not be located in the default folder (/backofficeplus or /backoffice+) If this is your case, you may connect through FTP and rename said folder.
6. The password of Backoffice users should be a combination of letters and numbers with at least 6 characters.

If your store has already been compromised:

1. Implement all the above-mentioned security recommendations.
2. Change your encryption key; change your customers and admins' passwords. The BackOffice Plus provides a utility to globally reset all store passwords.
3. Alert customers whose credit card data may have been captured.
4. Verify if there are changes on discount codes, bonus points, prices, stock or any other record of importance for your installation.

Security Check

If you have doubts regarding the security status of your installation you may want to hire Comersus Security Check. The Security Check is a service by means of which a Comersus technician remotely connects to your server and runs a series of tests to determine if the store has the minimum required security measures to function.

The result of the Security Check is a report informing the current status of the installation and step-by-step recommendations that should be implemented to solve issues found. Bear in mind that the fact that you may not notice the attack does not mean that the same has not already taken place.

Contact us to request more information on Security Check...