Attackers are searching for online store backups in public folders. Can they find yours?
Too many online store administrators are storing private backups in public folders and exposing database passwords, secret API keys, administrator URLs and customer data to attackers who know where to look.
“Exposed secrets have been used to gain control of stores, extort merchants and intercept customer payments,” say Sansec threat researchers.
Searching for exposed backups
The researchers have analyzed 2037 online stores of various sizes and running of various e-commerce platforms and found that 250 of them (12%) stored archive files in the public web folder, accessible to all.
“We collaborated with some of our largest hosting partners, so I believe the sample group is representative of the global population,” Sansec founder Willem de Groot told Help Net Security.
“Besides testing for backup files (sql/zip/tar), we tested whether the files were actually available over the web. We used HTTP HEAD requests for that, so we could assert the actual file size without downloading the backup archives.”
Unfortunately, cyber criminals can do the same thing – and they do.
“We have observed automated attacks against online stores, where thousands of possible backup names are tried over the course of multiple weeks. The attack includes clever permutations based on the site name and public DNS data, such as /db/staging-SITENAME.zip,” the researchers explained.
“Because these probes are very cheap to run and do not affect the target store performance, they can essentially go on forever until a backup has been found. Sansec found multiple attack patterns from dozens of source IPs, suggesting that multiple actors are working to exploit this vulnerability.”
What to do?
Whether by mistake, due to inattention or just a lack of knowledge, some backups may end up in public folders, and online store admins would do well to check whether they are part of that statistic.
If backups were exposed, web server log files can show whether they were downloaded. If they have, admins should immediately check for unauthorised admin accounts, change passwords (admin, SSH/FTP account, database), and check for data-stealing plugins, injected malware or web skimming scripts.
In general, important accounts should have multi-factor authentication switched on and remote database administration panels should not be exposed to the internet.
There are also ways to make sure to avoid exposing backups in the future, and they include actions such as configuring one’s web server to restrict access to archive files and scheduling frequent backups so ad-hoc backups are avoided as much as possible.