The developers of Magento are currently investigating reports of sites which are being targeted by the Guruincsite Malware, specifically the Neutrino Exploit Kit, and they are working with both developers and community members, as well as hosting providers, to try to identify any possible new attack vectors.
So far, Magento has found that almost all of the sites which have been affected by these attacks were vulnerable to a code execution issue which has been around since early 2015, and for which there is already a patch available. Sites which were not vulnerable to that specific issue were vulnerable to other (also patch-able) issues, or had clear vulnerabilities such as leftover demo accounts or fake user accounts, which made their site vulnerable to attacks.
Magento is advising merchants to perform an audit of their sites to ensure that they are following security best practices, and to check that they are up to date with the latest patches. They are also advising all website owners to scan for Guruincsite, because if their site was compromised before they installed the patch, then any fake admin accounts would remain and they would still be vulnerable to attacks by the malware.
Make sure that any unused accounts, including accounts that were installed as a part of the sample data installations, are removed from your database, and use the free MageReport service to check for any unpatched vulnerabilities. In addition, check the list of patches published by Magento and make sure that you have all of the security patches, at the very least.
Magento’s developers are extremely proactive when it comes to publishing security updates, but a huge percentage of Magento users, in particular those who have the community edition, are failing to install updates in a timely fashion. Given the ease with which hackers can bulk scan domain names looking for vulnerable websites (many attacks are automated, and a case of opportunism, rather than deliberate attacks aimed at a specific store), it is vital that patches are installed in a timely fashion.
Obscurity is not enough to protect websites. A site that is online and vulnerable will eventually be discovered by an automated scanner and exploited, simply because it is possible to do so. It is important that this message is repeated to as wide an audience as possible so that people understand how important security really is.