We were recently able to analyze a certain attack that compromised numerous e-commerce websites in order to steal credit card information from potential customers.
The affected websites were found using osCommerce, an open source e-commerce solution that allows users to easily manage their online shops.
Based on our analysis, more than 90,000 pages were compromised. The attackers inserted an iframe that leads to certain URLs in each of these sites, triggering several redirections. The redirections finally lead to an exploit kit that abuses the following vulnerabilities in an attempt to download a malicious file onto systems:
Successful exploitation of the above-mentioned vulnerabilities triggers a connection to another URL in order to download a final payload that we now detect as TROJ_JORIK.BRU. This malware searches for Internet caches, cookies, and histories in order to steal login credentials and other data used for specific websites, usually banks and other financial institutions. TROJ_JORIK.BRU then forwards the stolen information to specific websites.
Customers as the Biggest Target
This attack greatly affects not only the site owners whose businesses get disrupted by a compromise. Even worse, it attacks their potential customers who get their credit card information stolen just for visiting a supposedly trusted site. As Trend Micro threat response engineer Karl Dominguez observes, “This attack is quite efficient. It specifically targets users who visit e-commerce sites since they are the ones most likely have gone shopping online before and are more likely to have their credit card information stored in their systems.”
The attacker also seemed to use the “get it and go” approach, as he immediately deleted the malicious file after execution. “This is not like ZeuS attacks wherein the malware hides in the system for continuous monitoring. The malware just executes, takes the information that it wants to steal, then deletes itself. This may be done to prevent detection by the victims,” Dominguez explains.
Website Owners Need to Be More Vigilant
This is not first mass compromise involving osCommerce users. Multiple websites were also reported to have been compromised earlier this month while another compromise from late last year revealed osCommerce websites being used as FAKEAV redirectors.
This use of osCommerce as a platform for attacks should definitely call the attention of osCommerce website owners, as well as their developers.
According to Trend Micro senior threat researcher Hayashi Noriaki, osCommerce has a famous directory traversal vulnerability as well as an XSS vulnerability for version 2.2-MS2. Considering this, owners of osCommerce sites are strongly advised to update all of their software to the latest versions and most importantly, to check their sites for any code injection.
Trend Micro customers are already protected from this threat. The malicious URLs related to the redirections and the malicious files are already being blocked and detected by the Trend Micro™ Smart Protection Network™. In addition, Trend Micro Browser Guard prevents the above-mentioned exploits from executing, thus preventing the download of the malicious file.
Update as of July 31, 2011, 8:58 PM, PST
The above mentioned exploit kit is already detected as JS_EXPLOIT.BRU.