Magento is a popular Content Management System (CMS) deployed at over 200,000 websites as their e-commerce platform. On Sunday, Sucuri published a blog about a Massive Magento Guruincsite Infection that had already infected 1000's of sites. Google has blacklisted almost 8,000 sites over the past 90 days. At this point, it appears that we don't know the original injection vector. According to Sucuri, "It's likely a vulnerability in the Magento CMS software itself or one of the 3rd party extensions installed by the administrator."
What we do know is the attack on any visitor to these infected sites involves the injection of malicious scripts through iframes from guruincsite.com. Researchers from Malwarebytes say guruincsite is also linked to the infrastructure of a campaign using the Neutrino Exploit Kit. These scripts ultimately exploit a Flash vulnerability in an unsuspecting user silently delivering malware.
So the well-trodden path for malware authors is this:
- Identity a vulnerability in a popular server software (Magento in this case)
- Exploit this vulnerability to either directly place malware or redirect visitors to a malware site
- Infect unsuspecting users with a silent download
- Harvest financial credentials from compromised machines
For enterprises that are looking to protect their employees, this is a huge challenge. Many of these ecommerce sites are categorized as "good" by existing secure web gateways. Yet when these sites get infected and the employees end up visiting the site, they instantly end up with malware. While the recent focus in the media is about Magento, the ultimate victims are the users that visit these sites and get infected with malware. What can we do about it? If the code from all these sites (Magento or not), never reach the endpoint, then it doesn't matter if there's a malware. We call this Isolation and it's a fairly simple idea with profound impact in the fight against malware.