SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systems
In November 2021, Microsoft found two malicious image files, including a fake browser favicon, uploaded to a server hosted by Magento. Magento is a popular e-commerce platform.
The images contained an embedded PHP script which, by default, did not run on the affected web server. Instead, the PHP script only runs after confirming, via cookies, that the web admin is not currently logged in, in order to only target buyers.
Once the PHP script was executed, it retrieved the URL of the current page and searched for “payment” and “one page”, two keywords mapped to Magneto’s payment page.
“Inserting the PHP script into an image file is interesting because, by default, the web server would not execute said code. Based on previous similar attacks, we believe the attacker used a PHP expression ‘include ‘ to include the image (which contains the PHP code) in the index page of the website, so that it loads automatically each time you visit the webpage,” Microsoft explained.
There has been an increase in the use of malicious PHP in card skimming malware. Last week, the FBI warned of new cases of attackers using malicious PHP to infect US companies’ payment pages with webshells for remote backdoor access to the web server. Security firm Sucuri found that 41% of new credit card skimming malware seen in 2021 were related to PHP skimmers targeting backend web servers.
“This technique is interesting because most client-side security tools will not be able to detect or block the skimmer,” noted Jerome Segura of Malwarebytes.