Contents:
The law enforcement agency has issued an alert that malicious actors are scraping credit card information from the checkout pages of American companies’ websites.
As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server.
Allegedly, the “unidentified cyber actors” also gained backdoor access to the system of the target by altering two files on the checkout page.
In the past few years, JavaScript-based Magecart card-skimming incidents have been the primary threat to e-commerce websites, and yet PHP code continues to be a significant source of card-skimming activity.
New Moves
In September 2020, the threat actors started attacking US organizations by inserting malicious PHP code into personalized online checkout pages. However, the attackers switched gears earlier this year, employing a distinct PHP feature.
As explained by ZDNet, using a debugging feature, the hackers create a basic backdoor that enables the system to download two webshells onto the US company’s web server, providing backdoors for additional exploitation.
FBI Recommends Mitigation Steps:
Mitigations suggested by the FBI include:
- changing default login information on all systems,
- keeping an eye on requests made against your e-commerce environment in order to detect possible malicious behavior,
- separating and segmenting network systems to restrict the ease with which malicious hackers can move from one to another,
- protecting all websites that send confidential data using the secure socket layer (SSL) protocol.
Security researchers at Sucuri discovered that PHP backend credit card skimmers accounted for 41% of new credit card skimming malware samples in 2021. This suggested that scanning for frontend JavaScript infections alone might miss a lot of credit card skimming malware.
They explained that webshell backdoors grant hackers complete access to the webpage file system, frequently offering a comprehensive picture of the environment, including the server OS and PHP variants, as well as powerful capabilities to modify file permissions and advance into adjoining sites and folders.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.