Web shells can be defined as either scripts or programs that are being deployed by threat actors in order to gain and maintain access to hacked servers and be able to remotely execute arbitrary code or commands as well as to move laterally within a target’s network, or even deliver additional malicious payloads.

VISA noticed in the last year a growing trend regarding the use of web shells to inject JavaScript-based scripts, also known as credit card skimmers, into hacked online stores during web skimming attacks.

Another study, led by Microsoft and based on data collected from 46,000 distinct devices in the second part of  2019, detected an average of 77,000 web shells each month.



The skimmers, once deployed are allowed to steal the payment, and personal information previously submitted by the compromised online stores’ customers and send it to servers that are under their control.

Throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many eSkimming attacks used web shells to establish a command and control (C2)during the attacks.

PFD confirmed at least 45 eSkimming attacks in 2020 using web shells, and security researchers similarly noted increasing web shell use across the wider information security threat landscape.


It seems that web shells were mostly used by Magecart threat actors. The attackers used this technique to backdoor hacked online store servers and be able to set up a command-and-control infrastructure allowing them to exfiltrate the stolen credit card info.

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Network DNS Security

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

The hackers were using multiple methods to breach the online shops’ servers, like vulnerabilities in unsecured administrative infrastructure, eCommerce-related application/website plugins, and outdated/unpatched eCommerce platforms.

VISA’s findings were confirmed by the Microsoft Defender Advanced Threat Protection (ATP) team, who said that the number of web shells deployed on compromised servers has almost doubled since last year.

The escalating prevalence of web shells may be attributed to how simple and effective they can be for attackers. A web shell is typically a small piece of malicious code written in typical web development programming languages (e.g., ASP, PHP, JSP) that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow attackers to run commands on servers to steal data or use the server as launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on keyboard activity, while allowing attackers to persist in an affected organization.


Here are some actions that organizations can take in order to be better prepared against these types of attacks:

  • Identify and fix any vulnerabilities or misconfiguration found in web applications and web servers;
  • Implement the proper segmentation of your perimeter network;
  • Enable antivirus protection on web servers. 
  • Audit and review logs from web servers frequently;
  • Check your perimeter firewall and proxy and restrict unnecessary access to services;
  • Practice good credential hygiene.

Hackers Use Steganography to Steal Credit Card Data from Compromised Stores

Web Application Security – A Complete Guide

Security Alert: Mass Credit Card Stealing Campaign Detected in Online Shops

Leave a Reply

Your email address will not be published. Required fields are marked *