FBI: Hackers used malicious PHP code to grab credit card data

Unidentified attackers accessed credit card data and created a backdoor into the victim's systems, says law enforcement agency.
Written by Liam Tung, Contributing Writer

The Federal Bureau of Investigations (FBI) is warning that someone is scraping credit card data from the checkout pages of US businesses' websites. 

"As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business' online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server," the FBI said in an alert.

It said the "unidentified cyber actors" also established backdoor access to the victim's system by modifying two files within the checkout page. 

SEE: Just in time? Bosses are finally waking up to the cybersecurity threat

JavaScript-based Magecart card-skimming attacks have been the main threat to e-commerce sites in recent years, but PHP code remains a major source of card skimming activity. 

The attackers began targeting US businesses in September 2020 by inserting malicious PHP code into the customized online checkout pages. But earlier this year, the actors changed tactics using a different PHP function.  

The actors create a basic backdoor using a debugging function that allows the system to download two webshells onto the US firm's web server, giving the attackers backdoors for further exploitation. 

The FBI's recommended mitigations include changing default login credentials on all systems, monitoring requests performed against your e-commerce environment to identify possible malicious activity, segregating and segmenting network systems to limit how easily cyber criminals can move from one to another, and securing all websites transferring sensitive information by using secure socket layer (SSL) protocol.

Security firm Sucuri observed that 41% of new credit card skimming malware samples in 2021 were from PHP backend credit card skimmers. This suggested that solely scanning for frontend JavaScript infections could be missing a large proportion of credit card skimming malware. 

As Sucuri explains, webshell backdoors give attackers full access to the website file system, often providing a full picture of the environment, including the server operating system and PHP versions, as well powerful functionality to change permissions of files and move into adjacent websites and directories. Webshells accounted for 19% of 400 new malware signatures gathered by Sucuri in 2021. The firm saw a "hugely disproportionate" rise in signatures in 2021 for PHP-based credit card stealers impacting e-commerce platforms Magento, WordPress and OpenCart.   

Editorial standards