Attention SunShop Users,

It has come to our attention recently that there are certain activities popping up within the SunShop user community. Many individuals are seeing and reporting suspicious activity within their SunShop installations, specifically with regards to the "Carding" issue outlined below. Because of this, we wanted to take some time to go over various things to look for to ensure that your SunShop installation and your user’s information is secure.

1. Carding Attempts:

What is Carding?

Front-End Carding happens at your checkout. The fraudster is trying to purchase something from your store, and running through a laundry list of credit cards until one works. Their personal information stays the same, the purchase amount doesn’t change, but the credit cards information changes.

How do I detect Carding?

Most of the time a shop owner is unaware of these attempts as they rarely make it through as an actual order. In most cases, your credit card processor will contact you and let you know that multiple attempts have been made against your merchant account and in some cases they will charge you a fee for these attempts if they are very large in number. In some cases your processor will disable your account until something is put into place to prevent these repeated attempts.

What can be done to prevent Carding?

Recently within SunShop 4.5.2 and later, we have enabled the ability to place a captcha at the checkout verification level. In the case of "Google Recaptcha v2", it is minimally intrusive and only requires the checking of a box as to not prevent your customers from ordering quickly. If you are processing cards directly on your site using SunShop, we highly recommend that you enable this feature to prevent such Carding attacks.

2. Unauthorized Admin Access

Although this type of security risk is becoming more and more unlikely with the new features recently added into SunShop, we are still receiving reports here and there from customers seeing suspicious activity that would point to this type of compromise.

What are they after?

Generally speaking, when an attacker is trying to get access to your admin area, they are usually after sensitive customer information such as credit card numbers. Although you may not store credit card information if you use a payment processor, keep in mind that the attacker can turn that feature on once they have access to your admin area. Be sure to read below to ensure that your install is secure.

What should I look for?

First, ensure that if you are using a real-time payment processor to process credit cards that you are not storing customer credit card information. You can do this by navigating to the following area.

Settings -> Manage Settings -> Payment Settings

Under the "Payment Methods" tab, click on the "Settings" for the Credit Card payment method module. Make sure that "Store Card Details" is set to "No" and that "Store CVV2" is still blank. If "Store Card Details" is set to "Yes" and "Store CVV2" is set to "agree" and you did not put these values in, the odds are that your admin area has been compromised.

Secondly, ensure that there are no malicious files on your server that should not be there. Generally this is hard to determine, but in most cases you can simply note the "File Alerts" tab that displays on the SunShop admin dashboard. In recent findings, we have seen many instances of inbex.php (Notice the "b" instead of the "d") files popping up on SunShop servers. There may be other files on your server that should not be there and if you are unsure, you may open a ticket to have us look at your files.

It is important to keep in mind that admin access is necessary to upload these "rogue" files and that in versions as recent as 4.5.0 we have blocked the ability to upload these files from the SunShop admin interface. It became apparent that this was necessary as admin areas were being access without authorization.

In cases where files have been uploaded to your server, it is important to be weary of a compromise to actual SunShop file integrity as well.

What can I do to resolve compromised admin access?

If you are seeing any of the above signs of compromised access, odds are that you are running an older version of SunShop or perhaps you were at some point but never caught the signs previously. Securing your SunShop installation is still very possible provided that you follow the steps outlines below.

Step 1: Remove any compromised or rogue files from your server. This step is very important as even with password changes, in most cases a back door is left in order to gain access again down the line. We will assist in scanning for files that do not belong in most cases, even if your support is expired.

Step 2: Change all passwords across your entire server. This includes FTP, hosting control panel, database, email and all SunShop administration accounts. In most cases this is sufficient enough as the attacker most likely gained access to a compromised password at some point.

Step 3: Consider upgrading to the latest version of SunShop especially if you are running a version prior to the 4.5.0 release. We realize that upgrades can sometimes be a task when customizations are involved but it is important to stay up to date with the changing technology and PHP versions. We also offer an upgrade service to assist in minimizing downtime.

What steps has SunShop taken to prevent unauthorized access?

In recent versions we have implemented new features to access in stopping unauthorized access to the SunShop admin area. This includes the addition of an admin login notification when a new IP address accesses an account. An email is sent to the email address of the admin account holder to ensure they are aware of the access. Additionally, a new admin login log has been created so that a list of login times and IP address used to access those accounts is now available. Information such IP address physical location, ISP provider and other useful information is displayed in that log as well to help determine if the access was authorized or not.

We have also added a new variable to the config.php which will completely bypass the ability to store credit card information or toggle that setting at all from the admin interface. This new setting will act as a kill switch for storing credit card data and minimize your liability when using a real-time credit card payment processor.

Keep in mind that we also have other security features in place from much older versions of SunShop as well that can be useful in these situations. More specifically, the file change scanner available in the security settings as well as the htpasswd security setting. See the section below for more information:

Settings -> Manage Settings -> Security Settings

How to can I get help?

If you should need assistance with any issues related to admin access security, please feel free to contact support. We will assist anyone with the above unauthorized admin access related tasks no matter what your support status is. Please feel free to contact us at support@twt-inc.com or open a ticket at http://www.twt-inc.com/support-redirect.html



Tuesday, March 21, 2017







« Back