Microsoft: credit card skimmers change technique to hide their attacks

hand holding credit card and wallet by laptop

Image: Getty Images

According to Microsoft, card-skimming malware is increasingly using malicious PHP scripts on web servers to manipulate checkout pages to bypass browser defenses triggered by JavaScript code.

Microsoft threat researchers have observed a change in the tactics used by card-skimming malware. Over the past decade, card skimming has been dominated by so-called Magecart malware that relies on JavaScript code to inject scripts into payment pages and deliver malware that captures and steals card details. payment cards.

Injecting JavaScript into front-end processes was “highly visible,” Microsoft notes, as it could have triggered browser protections such as Content Security Policy (CSP) that prevent external scripts from loading. Attackers have found quieter techniques by targeting web servers with malicious PHP scripts.

SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systems

In November 2021, Microsoft found two malicious image files, including a fake browser favicon, uploaded to a server hosted by Magento. Magento is a popular e-commerce platform.

The images contained an embedded PHP script which, by default, did not run on the affected web server. Instead, the PHP script only runs after confirming, via cookies, that the web admin is not currently logged in, in order to only target buyers.

Once the PHP script was executed, it retrieved the URL of the current page and searched for “payment” and “one page”, two keywords mapped to Magneto’s payment page.

“Inserting the PHP script into an image file is interesting because, by default, the web server would not execute said code. Based on previous similar attacks, we believe the attacker used a PHP expression ‘include ‘ to include the image (which contains the PHP code) in the index page of the website, so that it loads automatically each time you visit the webpage,” Microsoft explained.

There has been an increase in the use of malicious PHP in card skimming malware. Last week, the FBI warned of new cases of attackers using malicious PHP to infect US companies’ payment pages with webshells for remote backdoor access to the web server. Security firm Sucuri found that 41% of new credit card skimming malware seen in 2021 were related to PHP skimmers targeting backend web servers.

Malwarebytes earlier this month said Magecart Group 12 was distributing new Webshell malware that dynamically loads JavaScript skimming code via server-side requests to online stores.

“This technique is interesting because most client-side security tools will not be able to detect or block the skimmer,” noted Jerome Segura of Malwarebytes.

“Unlike previous incidents where a fake favicon image was used to obfuscate malicious JavaScript code, this turned out to be a PHP web shell.”

But malicious JavaScript is still part of the card-skimming game. For example, Microsoft found examples of map-skimming malware based on JavaScript scripts spoofing Google Analytics and Meta Pixel (formerly Facebook Pixel). This can trick administrators into believing that the scripts are benign.


Comments are closed.