Sneaky Trojan exploits e-commerce flaws

Cache-probing, cookie-touching, self-deleting malware


More details have emerged of an e-commerce software flaw linked to the theft of credit card information from numerous websites.

A security flaw in osCommerce, an open source e-commerce package, created a means for criminals to compromise 90,000 web pages with redirection scripts that ultimately directed surfers towards a site serving up an exploit toolkit designed to compromise visitors' PCs.

"The attackers inserted an iframe that leads to certain URLs in each of these sites, triggering several redirections," an analysis of the attack published by Trend Micro explains. "The redirections finally lead to an exploit kit that abuses the following vulnerabilities in an attempt to download a malicious file onto systems."

The attack used a battery of four vulnerabilities to install a banking Trojan, detected by Trend Micro as Joric-BRU. Attempts are made to download the software onto the machines of surfers using a battery of four flaws involving Java, Microsoft Windows and Adobe vulnerabilities.

"This malware searches for internet caches, cookies, and histories in order to steal login credentials and other data used for specific websites, usually banks and other financial institutions," Trend Micro explains. "Joric-BRU then forwards the stolen information to specific websites."

Drive-by download-style attacks that target legitimate websites are relatively commonplace. The latest attack takes this one step further by planting exploit code on e-commerce sites, where surfers are entitled to expect a more trusted environment. In addition, the malware used in the attack attempts to delete itself from compromised systems after riffling compromised systems for login credentials, a feature that differentiates the banking Trojan from better known threats such as the ZeuS Trojan.

"This attack is quite efficient," said Trend Micro threat response engineer Karl Dominguez. "It specifically targets users who visit e-commerce sites, since they are the ones most likely have gone shopping online before and are more likely to have their credit card information stored in their systems."

Websites running osCommerce have been targeted by cybercrooks before. Multiple websites were compromised earlier this month. Late last year osCommerce websites were abused as part of a scareware scam.

Older versions of osCommerce are subject to a directory traversal vulnerability as well as an XSS vulnerability for version 2.2-MS2. ®

Broader topics


Other stories you might like

  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • To cut off all nearby phones with these Chinese chips, this is the bug to exploit
    Android patches incoming for NAS-ty memory overwrite flaw

    A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.

    The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.

    Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.

    Continue reading

Biting the hand that feeds IT © 1998–2022