E-commerce sites based on open source code under attack

Security vendor Armorize says it believes at least 100,000 Web pages based on OS Commerce hit

About 100,000 Web pages for e-commerce sites based on the open source OS Commerce software have been compromised with malware through a mass iFrame injection attack, according to security firm Armorize.

The ongoing mass-injection attacks appear to be carried out from Ukraine against the e-commerce sites. The sites that are successfully attacked are compromised with malware which is then used to try and attack visitors to these e-commerce sites, said Wayne Huang, chief technology officer at Armorize.

While attacks across the Web are not uncommon, Huang says this one is notable because it's a mass-injection type of attack that's reminiscent of attacks that were carried out about three years ago in high frequency but are not as common today.

The attackers "may be leveraging a known vulnerability" in the open-source software, Huang says, adding that attackers tend to lurk and watch for any information that's shared publicly about newly found vulnerabilities in software. He notes that OS Commerce open source is a popular foundation for an e-commerce site which is then given a different "look and feel" through various templates that are typically sold. He notes that some of the customization this brings may be hard to upgrade because it is sometimes "hardcoded."

According to its website, the OS Commerce open source group counts 249,500 store owners as using its Online Merchant software, which is available for free under the GNU General Public License. There was no immediate response to questions emailed to OS Commerce.

Learn more about this topic

Open Source Subnet 

The Cloud Gets More Open, But Can You Have Too Much Open? 

Debate rages over how to manage personal mobile devices at work 

Ponemon study: Cyberattacks more frequent, severe

Yahoo and open source 

2008 was not a good year

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies