|Fraud Alert: Fraud Attacks on Merchants using Older Versions of osCommerce
April 29, 2011
Visa, the global payments technology company recently circulated a notification warning merchants of a string of fraud attacks that target merchants using older versions of osCommerce software (version 2.2 and older) through unsecured web servers. Merchants should also be aware that if you have contracted a web hosting service provider that uses older versions of osCommerce to support its e-commerce shopping cart, you unknowingly might be exposed to such attacks.
“Through a documented exploit, fraudsters are able to identify and target merchants running vulnerable versions of this osCommerce software and compromise that software remotely. (The exploit can be found at www.exploit-db.com/exploits/15587/; a sample of the attack script and exploit code can be found by clicking here.) Once the software has been compromised, criminals can perpetrate fraud.
Specifically, fraudsters are targeting a vulnerability in the /admin/categories.php file that allows attackers to gain administrator-level access to the web server by uploading a PHP command shell remotely through modification of the $host and $path variable statements.
Once access has been obtained through the shell file, fraudsters have uncontrolled access to the web server and the data therein. They can then create and host fraudulent phishing pages to capture consumer data (such as primary account numbers, cardholders' names, cardholders' addresses and other personally identifiable information) or download additional hacking tools (such as sniffing software) to capture credentials. “
Fraud Attack Prevention Recommendations
Visa has made 3 recommendations to prevent fraud attacks:
- Safeguard the payment system by employing an e-commerce solution that is compliant with the Payment Application Data Security Standard (PA-DSS) and by ensuring that they are using the most up-to-date version of any e-commerce solution.
- Upgrade immediately to osCommerce version 2.3. (PA-DSS-validated e-commerce solutions can be found at www.pcisecuritystandards.org if you are using older versions of the osCommerce software.
- Install, configure and maintain your e-commerce solutions in a manner that is compliant with the Payment Card Industry Data Security Standard (PCI DSS). If you are using a web hosting service provider that has pre-installed e-commerce solutions, you should insist these solutions be PA-DSS compliant and be maintained in a PCI DSS-compliant manner at all times.