Six million Web pages have been booby-trapped with malware, using security vulnerabilities in software that hundreds of thousands of e-commerce Web sites use to process credit and debit card transactions.
Web security firm Armorize said it has detected more than six million Web pages that were seeded with attack kits designed to exploit Web browser vulnerabilities and plant malicious software. The company said the hacked sites appear to be running outdated and insecure versions of osCommerce, an e-commerce shopping cart program that is popular with online stores.
Armorize said the compromised pages hammer a visitor’s browser with exploits that target at least five Web browser plug-in vulnerabilities, including two flaws in Java, a pair of Windows bugs, and a security weakness in Adobe‘s PDF Reader. Patches are available for all of the targeted browser vulnerabilities.
According to Armorize, the malware targets osCommerce websites and leverages several osCommerce vulnerabilities: osCommerce Remote Edit Site Info Vulnerability (disclosed July 10th, 2011); osCommerce 2.3.1 banner_manager.php Remote File Upload Vulnerability (disclosed May 14, 2011); and OsCommerce Online Merchant v2.2 File Disclosure And Admin ByPass, (disclosed May 30, 2010).
Earlier this year, I wrote a lengthy piece for Kaspersky’s Secureview magazine on this subject: The story warned that criminals were using osCommerce vulnerabilities to hijack tens of thousands of Web sites that were later used to relay junk email and to host phishing scams. If you operate a site that uses osCommerce, please take a moment to ensure that your shopping cart software is up-to-date. The Armorize blog post lists several ways to tell if your site has been hacked. A handy tutorial on securing osCcommerce applications is available here.