Web security firm Armorize has identified over 6 million e-commerce web pages which have been compromised in order to serve malware to users.

Note that Armorize uses Google to search for exploits by searching for the text of the exploit itself.

Hat tip to Brian Krebs. Bookmark that guy.

The sites all use vulnerable versions of osCommerce, an open source online shop e-commerce solution. Some of the vulnerabilities exploited are old and patched long ago, but the sites have not updated their osCommerce installation. Some of the vulnerabilities (like this one), are quite recent. osCommerce, like a lot of other open source web solutions, is built on PHP and MySQL, each of which have their own vulnerabilities and frequent patches.

Compromised sites have an iframe or remote script call injected into the code they send to users. These install malware on the user's computers. The Armorize blog has instructions for finding and removing the malware from your own web sites.

The browser exploits used to install the malware on client systems include:



Note the 4th one, the infamous MDAC bug. It's well over 5 years old now and still finds success, largely from Windows XP systems that have not been patched in many years, if ever.

Armorize identifies the source of the attacks an several IP addresses in Ukraine.