We were recently able to analyze a certain attack that compromised numerous e-commerce websites in order to steal credit card information from the sites’ potential customers.
The affected websites were found using osCommerce, an open source e-commerce solution that allows users to easily manage their online shops.
Based on our analysis, more than 90,000 pages had been compromised. The attackers had inserted in each of them an iframe that leads to certain URLs, triggering several redirections. The redirections finally lead to an exploit kit, which abuses the following vulnerabilities in attempting to download a malicious file into the system:
Successful exploitation triggers the connection to another URL to download its final payload, which is now detected as TROJ_JORIC.BRU. This malware searches for Internet cache, cookies, and history to steal login credentials and other data used on specific websites, usually of banks and other financial institutions. TROJ_JORIK.BRU then forwards the stolen information to specific websites.
Customers as Biggest Target
This attack affects greatly not only the site owners whose businesses get disrupted by a compromise, but even more so, their potential customers who get their credit card information stolen just for visiting a supposedly trusted site. As Trend Micro Threat Response Engineer Karl Dominguez observes, “This attack is quite efficient. It specifically targets users who visit e-commerce sites, since they are the ones most likely to have done online shopping before, and are more likely to have their credit card information stored in their system.”
The attacker also seems to aim for the “get it and go” approach, immediately deleting the malicious file after execution. “This is not like ZeuS, wherein the malware hides in the system for continuous monitoring. It just executes, takes the information that it wants to steal, and then deletes itself. This might be done to prevent being detected by the victim,” Dominguez explains.
Website Owners Need to be More Vigilant
This is not first mass compromise osCommerce users have experienced as of late. Multiple websites were also reported compromised earlier this month, while another compromise from late last year revealed osCommerce websites being used as FAKEAV redirectors.
This usage of osCommerce as a platform for attacks should definitely call the attention of osCommerce websites owners, as well as the developers themselves.
According to Trend Micro Researcher Hayashi Noriaki, osCommerce has a famous directory traversal vulnerability, as well as an XSS vulnerability for its version 2.2-MS2. Considering this, owners of osCommerce sites are strongly advised to update all their software to its latest version, and most importantly, to check their sites for any code injections.
Trend Micro customers are already protected from this threat. The malicious URLs from the redirections and the malicious files are already blocked and detected respectively through the Trend Micro Smart Protection Network. Additionally, the Trend Micro Browser Guard prevents the abovementioned exploits from executing, thus preventing the download of the malicious file.
Leave a reply