Magento content management systems are embroiled within a “massive” cyberattack campaign which has already infected over 50,000 websites.
Websites running the Magento CMS are being infected within a fresh campaign which has impacted thousands of domains in a matter of days.
Over the weekend, researchers from Sucuri Labs said the attack involves the injection of malicious scripts through iframes from guruincsite.com.
There are two modified versions of the infection, and while one is obfuscated, the other is not — giving security teams a virtual beacon to track the malicious domain involved in this latest attack on content management systems.
Webmasters in Google forums who have been affected by the campaign say malicious code has been found in design aspects of their Magento CMS systems, particularly within the Footer – Miscellaneous Scripts areas of their sites. Removing these scripts and then resubmitting clean websites back to Google for review should remove the blacklisting.
The Magento content management system, tailored for e-commerce, is used by over 200,000 companies worldwide.
Sucuri is investigating the spread of Guruincsite and suspect “it was some vulnerability in Magento or one of the third-party extensions that allowed it to infect thousands of sites within a short time.”
Researchers from Malwarebytes say guruincsite is also linked to the infrastructure of a campaign using the Neutrino Exploit Kit. The “neitrino” cyberattack campaign uses the same attack on the server side that Sucuri noticed, but instead compromises domains client side via web exploits. Websites compromised through a Flash exploit are harvested for financial data and also become slaves to a botnet system.
Sucuri recommends that webmasters make sure their systems are up-to-date and to consider using website firewalls to better protect online domains. A number of webmasters with infected sites have noticed unidentified admin users appearing in their systems, and immediate removal is the best way to go.