Potent, in-the-wild exploits imperil customers of 100,000 e-commerce sites

Criminals are exploiting an extremely critical vulnerability found on almost 100,000 e-commerce websites in a wave of attacks that puts the personal information for millions of people at risk of theft. The remote code-execution hole resides in the community and enterprise editions of Magento, the Internet's No. 1 content management system for e-commerce sites. Engineers from eBay, which owns the e-commerce platform, released a patch in February that closes the vulnerability, but as April 20, more than 98,000 online merchants still hadn't installed it, according to researchers with Byte, a Netherlands-based company that hosts Magento-using websites. Now, the consequences of that inaction are beginning to be felt, as attackers from Russia and China launch exploits that allow them to gain complete control over vulnerable sites. "The vulnerability is actually comprised of a chain of several vulnerabilities that ultimately allow an unauthenticated attacker to execute PHP code on the Web server," Netanel Rubin, a malware and vulnerability researcher with security firm Checkpoint, wrote in a recent blog post. "The attacker bypasses all security mechanisms and gains control of the store and its complete database, allowing credit card theft or any other administrative access into the system."

The attacks are coming from the IP addresses 62.76.177.179 and 185.22.232.218, which are both based in Russia. Web administrators who are concerned their sites are compromised should also check their logs for these addresses. Still, that method isn't fool-proof. According to Incapsula, attacks are also coming from addresses located in China, and it wouldn't be surprising for attacks to become more widespread in the coming days.