August 25, 2016 - Follow Up Letter From CEO On Security
This is follow up to the letter I sent dated August 8, 2016, regarding the security of our website. With the help of our hosting provider and the added assistance of the security team at Customer Paradigm, we were able to identify malicious lines of code hidden deep within our regular checkout system.
The malicious code gave the thief the ability to secretly scrape sensitive credit card data before it was protected and passed from our server via SSL encryption to the issuing bank for processing. I don’t intend for this email to go into detail about how that is possible, although I will give a brief overview along with a link to a 3rd party blog to where this known strategy is discussed in detail. Rather I would like to notify our customers about what we have done to fix the problem and to prevent this vulnerability in the future.
A detailed forensic analysis revealed the malicious code was inserted into a normal system file around January of this year. Because the code resided within a system file on our server, it programmatically “sniffed” sensitive data from the checkout page and then encrypted and concealed it deep within our image folder. The stolen data resided in a file disguised as an image file in a public facing folder so that the thief could pick it up from the server without ever needing access to the server itself. It’s suspected that the thief would extract the data and decrypt it using a key only accessible to them.
This discovery could not have been made without the help of about a dozen loyal customers, who were aware of the initial security notice I sent out, and then discovered their card had been again stolen after we had installed the security patches. The quick response by these individuals with the details of exactly what they experienced, provided us with the information needed to ultimately uncover this threat. Thank you! You know who you are.
Although the banks will protect our customers that have been affected by this thief so they don’t personally incur financial loss, our hearts go out to any of our customers that have suffered from cash flow restraints, lost time, and added stress that accompany dealing with fraud on a bank statement. Personally, my bank card was stolen and I empathize with the frustration and the stress of finding a resolution to that event.
The malicious code has been removed and the 3rd party security team at Customer Paradigm have performed a detailed analysis of every system file that malware software can’t. Our site code is clean and our customers can continue to shop with confidence.
Moving forward, we have implemented a version control software on our server that notifies, both our development team and our executive team, anytime system files are modified and clearly reveals those modifications. System files can only be modified by someone that gains access to the server through the control panel, FTP, SSH, or through an un-patched security vulnerability of Magento. The identity of the thief is unknown and while it may be extreme to cut ties with all of our 3rd party developers, we feel this step was necessary. Immediate future development of our systems and software will occur at a slower pace, but we anticipate we will be running at full speed within 2 to 3 months.
This has been a very tough month for us, but one we’ll no doubt recover from and emerge stronger and more prepared to focus on the reason Jade Bloom exists, to change the way people think about health. I want to personally thank each of you for your patience, your support, your forgiveness, your time, and the love that you send our way on a daily basis. You make the down times bearable and the up times pure joy. We will continue working to bring the natural products you need and provide you with the technology and educational platforms so you can help us change the world and make it a healthier and happier place.
Jade Bloom Inc
Link to blog detailing the known credit card skimming strategy: https://blog.nexcess.net/2014/07/25/recent-exploit-using-fake-magento-extensions/