We’ve been monitoring elevated hacker activities in the last 24-48 hrs, that have been targeted at compromising Volusion stores. To be able to best safeguard your company, a few words you should know about these attempted attacks:
Exactly what do the attackers want?
These attacks are targeted at gaining unauthorized use of webmaster account in your store.
How can they have an account to fight?
The attackers attempt to guess or obtain your administrator current email address from contact pages (such as <your-store-domain>/aboutus.asp). Any account that is linked for your store might be utilized in this attack.
What sort of attacks were they?
The attackers use what’s known as a “brute pressure attack” to access an outlet account. Discover more about brute pressure attacks here. Basically, they will use tools to automate hundreds (sometimes thousands) of multiple login attempts with a summary of common passwords. They’re wishing one of these simple “guesses” is going to be correct and permit them access for your requirements.
What went down?
Since Volusion comes with an account lockout policy in position for administrative accounts, once the attack causes a free account to neglect to login multiple occasions, the account is going to be locked out and you’ll get an email notifying you from the lockout.
Can there be other things I have to know?
Additionally the attackers may create several shopper accounts using legitimate searching usernames for example:
Remember that the attackers may attempt to trick you into granting admin use of these accounts.
So what can I actually do?
We recommend using the following steps to safeguard your store from all of these along with other attacks:
- Make sure that all store admin accounts are safe having a strong password. (You’ll find some good strategies for this here.)
- Make sure that any FTP accounts you might have will also be protected having a strong password.
- Take a look at store for recent shopper accounts that appear to be suspicious.
- Delete or disable all administrator accounts you don’t need or use.
You shouldn’t hesitate to deal with any queries or concerns within the comments, or by developing a support ticket.