An attack targeting sites running unpatched versions of the osCommerce web application kept growing virally this week, more than three weeks after a security firm warned it was being used to install malware on the computers of unsuspecting users.

When researchers from Armorize first spotted the exploit on July 24, they estimated it had injected malicious links into about 91,000 webpages. By early last week, The Reg reported it had taken hold of almost 5 million pages. At time of writing, Google searches here and here suggested that the number exceeded 8.3 million.

"It is devastating not only to see the damage the attack has inflicted to online stores, but also to customers who are getting affected with old IE6 browser exploits," he wrote in an email.

He said a fix has been available since November's release of osCommerce Online Merchant v2.3. The steadily climbing number of infected webpages suggests that a large percentage of osCommerce websites can't be bothered to install it. And that means people visiting those ecommerce websites are being unnecessarily exposed to attacks. ®

Related stories

• Mass ASP.NET attack causes websites to turn on visitors (14 October 2011)
• Firm at heart of biggest oil spill spews toxic web attack (25 August 2011)
• Malware attack spreads to 5 million pages (and counting) (2 August 2011)
• Compromise turns Kaspersky site into malware hub (19 October 2010)
• 1,000+ webpages poisoned in latest mass malware hack (11 June 2010)
• Mass hack plants malware on thousands of webpages (9 June 2010)
• Security bugs reinfect financial giant’s website (1 February 2010)
• Mass web infection pinned on hardened crime gang (27 August 2009)
• University website peddles Adobe warez (27 March 2007)