E-commerce Magento websites……… “massive” cyberattack

Magento content management systems are embroiled within a “massive” cyberattack campaign which has already infected over 50,000 websites.



Websites running the Magento CMS are being infected within a fresh campaign which has impacted thousands of domains in a matter of days.

Over the weekend, researchers from Sucuri Labs said the attack involves the injection of malicious scripts through iframes from guruincsite.com.

There are two modified versions of the infection, and while one is obfuscated, the other is not — giving security teams a virtual beacon to track the malicious domain involved in this latest attack on content management systems.

According to the team, Google has already blacklisted almost 8,000 infected websites over the past 90 days.

Webmasters in Google forums who have been affected by the campaign say malicious code has been found in design aspects of their Magento CMS systems, particularly within the Footer – Miscellaneous Scripts areas of their sites. Removing these scripts and then resubmitting clean websites back to Google for review should remove the blacklisting.

The Magento content management system, tailored for e-commerce, is used by over 200,000 companies worldwide.

Sucuri is investigating the spread of Guruincsite and suspect “it was some vulnerability in Magento or one of the third-party extensions that allowed it to infect thousands of sites within a short time.”

However, the actual attack vector is yet to be discovered, which potentially placing hundreds of thousands of online retail websites — and any financial data stored within — at risk.

Researchers from Malwarebytes say guruincsite is also linked to the infrastructure of a campaign using the Neutrino Exploit Kit. The “neitrino” cyberattack campaign uses the same attack on the server side that Sucuri noticed, but instead compromises domains client side via web exploits. Websites compromised through a Flash exploit are harvested for financial data and also become slaves to a botnet system.

Sucuri recommends that webmasters make sure their systems are up-to-date and to consider using website firewalls to better protect online domains. A number of webmasters with infected sites have noticed unidentified admin users appearing in their systems, and immediate removal is the best way to go.

Sharad Chauhan


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s