A new FLASH report from the FBI warns about cyber actors scraping credit card data from compromised online checkout pages from US businesses.
It all starts with a compromise
According to the FBI, a US business was targeted in September 2020 by an unidentified threat actor, who inserted malicious PHP code into the checkout page of the targeted company website.
The checkout page was modified to include a link to another piece of code named “cart_required_files.php.” That file, in turn, led to another malicious PHP script dubbed “TempOrders.php” which contained code to scrape and exfiltrate unsuspecting customer data from the shopping cart. Every user buying something on that compromised website would unwittingly send their credit card data to the fraudsters.
SEE: Mobile device security policy (TechRepublic Premium)
The way data was sent to the fraudsters consisted of establishing a connection and sending the data to a spoofed card processing domain, authorizen.net. The domain name is very similar to a legitimate card processing company’s domain, authorize.net.
As found by TechRepublic, the fraudulent domain has been registered in December 2016, and suspicious Internet users have reported fraudulent use of it since at least November 2018. The hosting of authorizen.net has changed a few times since 2016, on Russian and Romanian servers only.
More backdoors and tools
The threat actor installed two different backdoors on the compromised website.
The first backdoor consisted of inserting one line of code in the login process of the website. Upon execution, the system would download a fully functional PAS web shell onto the affected company’s web server, according to the FBI. The PAS web shell, also known as Fobushell, was created by a Ukrainian developer nicknamed Profexer and has been around since 2016. A modified version can be found online. The web shell is made of some thousands of lines of PHP code, providing a comfortable interface to the attackers directly on the victims website (Figure A).
The second backdoor installed by the unknown threat actor used a regular expression to insert and execute code submitted as an HTTP request variable named “u” (Figure B).
Another web shell named B374K was used by the threat actor for backdooring purposes. Once again, it is possible to find this web shell on the Internet, making it easy for any cybercriminal to own and use it.
The attacker also used a legitimate tool named Adminer, a PHP-based database handling tool. The tool can be used to manage MySQL database content.
Credit card skimming is a growing trend
An increasing number of threat actors are specializing in this type of cybercrime. Magecart, for example, is a group of actors targeting thousands of websites in order to collect credit card data, active since 2016.
Skimming activity has also increased lately because of the availability of skimming kits at relatively low prices. Recent research revealed that the CaramelCorp skimming service provided a lifetime subscription for $2,000 USD, making it easier for low technical level cybercriminals to enter the game and start collecting credit card numbers for further fraud and money theft.
How to protect from the threat
As usual, the first recommendation is to update and patch operating systems and all software and code that is running on the website. This will greatly decrease the odds of being compromised with a known vulnerability.
Dave Cundiff, CISO at Cyvatar, told TechRepublic that “continually verifying and monitoring an organization’s fundamental cybersecurity is a requirement these days. If the fundamentals of an organization’s security are not strong, then the additional complexity of any additional security is useless. Almost all of the attacks or compromises we have been tracking over the last couple of years could have been prevented or at least had the impact greatly reduced by following the basic hygiene approach of fundamental security.”
A careful monitoring of the web applications and server should also be done in order to detect unauthorized access or anomalous activities on the web server.
Multi-factor authentication should also be set up for every employee who needs to access any part of the web server or data handled by the web server. Default credentials, if any, should also be completely removed.
Permanent web content integrity checks also need to be done, and content filtering and file monitoring security solutions should be deployed. Since the threat actors are systematically modifying legitimate scripts from the website to deploy their backdoors or enable credit card data theft, any change on a static file out of any update process should be immediately flagged and investigated. A special focus should be applied on scripts, like PHP, JS or ASPX files. Any new file created on the web server should raise an alarm and should be investigated.
Ron Bradley, vice president at Shared Assessments, insists that “If you’re running a website, especially one which transacts funds, and if you don’t have FIM implemented, then I don’t want to shop there. Furthermore, you’re going to get pummeled by bad actors because you don’t have your house in order. It’s a well-known fact credit card data has always been one of the crown jewels for fraudsters. It’s fascinating to me when a business has card data compromised while battle tested measures could easily have been put in place. Understanding the technical controls your organization and associated parties have in place to defend against fundamental attacks is an imperative in the world of e-commerce.”
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.