Sneaky Trojan exploits e-commerce flaws
Cache-probing, cookie-touching, self-deleting malware
More details have emerged of an e-commerce software flaw linked to the theft of credit card information from numerous websites.
A security flaw in osCommerce, an open source e-commerce package, created a means for criminals to compromise 90,000 web pages with redirection scripts that ultimately directed surfers towards a site serving up an exploit toolkit designed to compromise visitors' PCs.
"The attackers inserted an iframe that leads to certain URLs in each of these sites, triggering several redirections," an analysis of the attack published by Trend Micro explains. "The redirections finally lead to an exploit kit that abuses the following vulnerabilities in an attempt to download a malicious file onto systems."
The attack used a battery of four vulnerabilities to install a banking Trojan, detected by Trend Micro as Joric-BRU. Attempts are made to download the software onto the machines of surfers using a battery of four flaws involving Java, Microsoft Windows and Adobe vulnerabilities.
"This malware searches for internet caches, cookies, and histories in order to steal login credentials and other data used for specific websites, usually banks and other financial institutions," Trend Micro explains. "Joric-BRU then forwards the stolen information to specific websites."
Drive-by download-style attacks that target legitimate websites are relatively commonplace. The latest attack takes this one step further by planting exploit code on e-commerce sites, where surfers are entitled to expect a more trusted environment. In addition, the malware used in the attack attempts to delete itself from compromised systems after riffling compromised systems for login credentials, a feature that differentiates the banking Trojan from better known threats such as the ZeuS Trojan.
"This attack is quite efficient," said Trend Micro threat response engineer Karl Dominguez. "It specifically targets users who visit e-commerce sites, since they are the ones most likely have gone shopping online before and are more likely to have their credit card information stored in their systems."
Websites running osCommerce have been targeted by cybercrooks before. Multiple websites were compromised earlier this month. Late last year osCommerce websites were abused as part of a scareware scam.
Older versions of osCommerce are subject to a directory traversal vulnerability as well as an XSS vulnerability for version 2.2-MS2. ®
This is what pisses me off about a LOT of online transactions
The fact that many such online ordering wish to include cack from a number of different sites (the payment handler, maybe your own bank if it has "added security", sometimes resources from two or three domains for card verification scripts, logos, and security images) coupled with the fact that the system is, generally, unable to cope with a refresh. This makes it extremely difficult to use NoScript for such order processing, which would help reduce problems. No, I am not going to "grant permissions for everything" for the period of the order transaction, as - as this article shows - that's the time when you want to know that everything is under control.
Only the other week, I placed an order, went to the payment handler, gave it permission, it reloaded and the next thing I know I'm back in the company I was ordering from with my basket having been cleared! Checking my order history, none. I considered if I really needed the thing I was ordering, and decided that - no, I didn't. [and later got it cheaper from Amazon ;) ]