Malicious PHP Code Used to Steal Banking Information, FBI Said
What Are the FBI’s Recommended Mitigations?
The law enforcement agency has issued an alert that malicious actors are scraping credit card information from the checkout pages of American companies’ websites.
As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server.
Allegedly, the “unidentified cyber actors” also gained backdoor access to the system of the target by altering two files on the checkout page.
In September 2020, the threat actors started attacking US organizations by inserting malicious PHP code into personalized online checkout pages. However, the attackers switched gears earlier this year, employing a distinct PHP feature.
As explained by ZDNet, using a debugging feature, the hackers create a basic backdoor that enables the system to download two webshells onto the US company’s web server, providing backdoors for additional exploitation.
FBI Recommends Mitigation Steps:
Mitigations suggested by the FBI include:
- changing default login information on all systems,
- keeping an eye on requests made against your e-commerce environment in order to detect possible malicious behavior,
- separating and segmenting network systems to restrict the ease with which malicious hackers can move from one to another,
- protecting all websites that send confidential data using the secure socket layer (SSL) protocol.
They explained that webshell backdoors grant hackers complete access to the webpage file system, frequently offering a comprehensive picture of the environment, including the server OS and PHP variants, as well as powerful capabilities to modify file permissions and advance into adjoining sites and folders.