iFrame Attack Infects More Than 300,000 osCommerce Sites

Specifically, the massive iFrame attack is targeted at osCommerce, a free, open source package that allows users to launch an e-commerce site and essentially build anything online.

“If you want to quickly have a Web site selling stuff, osCommerce is a very popular package,” said Wayne Huang, chief technology officer at Armorize, who headed the research team that detected the new attack.

However, osCommerce is also vulnerable to attacks, Huang said, primarily because it relies on templates that are customizable with a wide variety of fonts, colors and graphics. What's more, the templates are hardened into the osCommerce sourcecode, which prohibits security upgrades that could protect the templates, he said.

“OS Commerce sites are vulnerable. One of the reasons is because people don’t upgrade. If you upgrade, you lose the template,” Huang said. “They’ll stay vulnerable.”

Huang said that the attack perpetrators scan for older versions of osCommerce, particularly versions 2.2 and below. Once they find an older version of the application, attackers then leverage the known Javascript vulnerabilities and inject an iFrame into the site.

In an attack scenario, users unknowingly visit a compromised osCommerce Web site. Once the user visits the page, malicious code redirects the user to a page serving client-side exploits.

Once infected, users are subjected to malware designed to siphon sensitive information to a remote server or record keystrokes, and take control of their entire computer.

Huang said he had seen the attack progress rapidly over the last week, escalating from 90,000 infected Web pages to more than 300,000 in a matter of days.

To protect an OS Commerce site from infection, Huang recommended that users upgrade their site. If they’re unable to do that, he suggests that users apply known patches to secure the site and reduce the potential of attack.