Thousands of e-commerce Magento websites struck with Guruncsite malware

Malvertising: Daily Mail ads briefly linked to malware
October 16, 2015
Tricky new malware replaces your entire browser with a dangerous Chrome lookalike
October 20, 2015

Websites running the Magento CMS are being infected with malware in a fresh campaign which has impacted thousands of domains in a matter of days.

Over the weekend, researchers from Sucuri Labs said the attack involves the injection of malicious scripts through iframes from guruincsite.com.

There are two modified versions of the infection, and while one is obfuscated, the other is not — giving security teams a virtual beacon to track the malicious domain involved in this latest attack on content management systems.

According to the team, Google has already blacklisted almost 8,000 infected websites over the past 90 days.

Webmasters in Google forums who have been affected by the campaign say malicious code has been found in design aspects of their Magento CMS systems, particularly within the Footer – Miscellaneous Scripts areas of their sites. Removing these scripts and then resubmitting clean websites back to Google for review should remove the blacklisting.

The Magento content management system, tailored for e-commerce, is used by over 200,000 companies worldwide.

Sucuri is investigating the spread of Guruincsite and suspect “it was some vulnerability in Magento or one of the third-party extensions that allowed it to infect thousands of sites within a short time.”

However, the actual attack vector is yet to be discovered, which potentially placing hundreds of thousands of online retail websites — and any financial data stored within — at risk.

Researchers from Malwarebytes say guruincsite is also linked to the infrastructure of a campaign using the Neutrino Exploit Kit. The “neitrino” cyberattack campaign uses the same attack on the server side that Sucuri noticed, but instead compromises domains client side via web exploits. Websites compromised through a Flash exploit are harvested for financial data and also become slaves to a botnet system.

Sucuri recommends that webmasters make sure their systems are up-to-date and to consider using website firewalls to better protect online domains. A number of webmasters with infected sites have noticed unidentified admin users appearing in their systems, and immediate removal is the best way to go.

Source – http://www.zdnet.com/article/thousands-of-e-commerce-magento-websites-struck-with-guruncsite-malware/