FBI: Hackers Injected Malicious PHP Code Into Online Checkout Pages to Scrape Credit Card Data

The Federal Bureau of Investigation (FBI) warned on May 16, 2022, that threat actors scraped credit card data from a US business by injecting malicious Hypertext Preprocessor (PHP) code into its online checkout pages.

The attackers collected credit card data from January 2022 and sent it to a threat actor-controlled server that spoofed a legitimate card processing server.

Additionally, the unidentified cyber actors gained backdoor access to the victim by modifying two scripts on the business’ online checkout page.

They exploited a debugging and data transfer function, causing the system to download two web shells for further exploitation.

PHP code leads in credit card data skimming from online checkout pages

While JavaScript-based Magecart card-skimming attacks on online checkout pages have received more attention in recent years, malicious PHP code remains the main source of card skimming activity.

According to cybersecurity firm Sucuri, 41% of credit card skimming on online checkout forms originated from malicious PHP code. Additionally, Sucuri discovered that the dependence on PHP code for credit card skimming activity was increasing.

Unlike client-side javascript, PHP runs on the server-side and can access backend functions, thus granting the attackers more control.

Accessing the server’s file system allows hackers to move laterally into co-hosted websites and adjacent directories. Similarly, PHP is widely supported and can easily create reverse web shells.

The FBI did not disclose the number of victims compromised via malicious PHP code. However, the bureau revealed that the attackers have tried scraping credit card data using PHP code from US businesses since September 2020.

The FBI’s disclosure suggests that the number of victims compromised via malicious PHP code on online checkout pages is likely high.

FBI’s recommendations on mitigating online threats

The FBI recommended the secure socket layer (SSL) protocol for information transfer, changing the default login credentials, and checking requests made against online ecommerce systems to identify malicious activity.

Additionally, the bureau recommended segmenting network systems to prevent the spread of infection during successful breaches and only downloading third-party software from trusted sites.

The FBI also advised organizations to patch systems for critical vulnerabilities, monitor logs for unauthorized access, strengthen credential requirements, and enable multi-factor authentication.

Conducting regular backups and implementing an incident response plan would also assist organizations in tackling cyber threats.

The federal law enforcement agency encouraged victims to report suspected cybersecurity incidents to their FBI local field office.

Kunal Modasiya, senior director of product management at PerimeterX, said the incident was another attempt at stealing personal and payment information for fraud.

“This FBI warning is one that US businesses should take very seriously,” Modasiya said. “A Magecart attack whereby bad actors scraped online credit card data by injecting malicious PHP code into the checkout page is yet another way to steal customers’ PII and payment data, abuse account information and commit fraud.”

He advised businesses to look “beyond server-side security tools” and adopt other measures such as static code analysis, external scanners, and the limitation of CSP solutions.

“Businesses must employ a holistic solution that provides real-time visibility and control into their client-side supply chain attack surface,” he added. “It should also identify vulnerabilities, detect anomalous behavior of JavaScripts and communication to suspicious domains, and proactively mitigate the risk of stolen customer data.”

The FBI says #hackers who scraped credit card data by injecting malicious PHP code on an online checkout page were targeting US businesses since September 2020. #cybersecurity #respectdataClick to Tweet

Ron Bradley, VP at Shared Assessments, advised website owners to implement File Integrity Monitoring (FIM) to avoid becoming victims of credit card data skimming.

“It’s a well-known fact credit card data has always been one of the crown jewels for fraudsters,” Bradley said. “It’s fascinating to me when a business has card data compromised while battle tested measures could easily have been put in place.”

Leave a Comment

Your email address will not be published.