Websites using osCommerce software--an open source online shop e-commerce app--are under a large-scale injection attack, said Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) recently.

In a recent proactive information security monitoring operation, HKCERT observed that more than 90,000 Web pages were infected globally, with more than 2,000 pages in Hong Kong being infected. The number of infected pages is still on the rise, according to HKCERT.

Compromised websites are injected with malicious hyperlinks, which in turn redirect visiting users of such websites to other malicious websites, said HKCERT, adding that users' machines may be infected with the malware subsequently.

HKCERT said it has already issued notice and security bulletin about the vulnerability, with details on ways to detect the attack and recovery.

As a preventive measure and best practice in information security, HKCERT said website administrators using osCommerce to check their webpages and databases, and set password to protect the administration directory (/admin/) of their systems using the .htaccess file.

HKCERT also warns users of online shopping websites to beware of the potential risk. "They should always maintain their security patch up to date, use anti-malware software and the latest version of browsers, disable Javascript in browsers, and turn on personal firewalls," said the organization. "Online shoppers should not visit any unsolicited websites."