Researchers at Armorize have discovered a massive iframe injection campaign that has already infected more than 100,000 web pages, including nearly 3,000 in Australia and more than 500 in New Zealand. The campaign seems to be exploiting security issues with osCommerce based online stores, the researchers Wayne Huang, Chris Hsiao and NightCola Lin found.

Once the security of the target osCommerce based web site has been compromised, the intruders inject an iframe exploit which redirects users of the web site to malicious web domains. Then the cyber-criminals are launching malware attacks against the users PC, targeting known vulnerabilities in Java, Adobe’s PDF, Microsoft’s Internet Explorer and other common platforms.

For a detailed summary of the attack timeline and some interesting screenshots, please read the Armorize report in its entirety.

Ten steps to take if your site has an iframe injection

Web site administrators of web sites already affected should look to the osCommerce forums for up-to-date advice on how to remove the iframe exploit from their site.

However, the following ten steps are good general advice for any web site which has been the victim of an iframe injection:

• Step 1 – Take the site offline for maintenance until the infection source is found and removed. thus you avoid putting site visitors at risk of malware infection or a malicious scam.
• Step 2 – Change all passwords associated with the web site. This includes the admin logins to your content management system (CMS), FTP passwords, database passwords, web server passwords etc. Use strong replacement passwords (i.e they should contain upper and lower case letters, numbers, and symbols).
• Step 3 – Make a backup copy of the infected web site and any databases it uses. Thus you’ll be able to do additional analysis once the site is back up and running.
• Step 4 – Fully replace the web site with the last clean backup copy of it. Scan all backup files with an anti-virus program to ensure that the iframe injection has not infected them with computer malware.
• Step 5 – Search every HTML page, or PHP page that generates HTML, in a text editor to look for the offending iframe code entries. It is very likely that the offending iframe code is in more than one file on the web site. Remove the injected code as soon as it is found and save the updated page.
• Step 6 – Upload the site and test to ensure that the iframe injection no longer exists.
• Step 7 – Check the site to see how the malicious code was injected. You may be running an outdated versions of your CMS which has known security issues that have already been fixed. Update the software and apply all known security fixes.
• Step 8 – Check for improper security settings on the server’s site files. Often the bad guys are simply exploiting common oversights in the installation and setup of web sites.
• Step 9 – Pay attention to visitor actions on the site to see if the injection attack is attempted again and consider shifting from FTP to SFTP in order to upload new files to the account.
• Step 10 – Be sure to change the site passwords at least once a month. Keep your software up-to-date. Regularly check for security patches for all CMS applications your are running.

Prevention is better than cure

Anyone running an osCommerce based online store should be looking to fully implement the patches for known security bugs as soon as possible, plus check that their installation of osCommerce follows all of the recommended guidelines.

Lloyd Borrett, Security Evangelist, AVG (AU/NZ)