Malicious PHP Code Used to Steal Banking Information, FBI Said

The law enforcement agency has issued an alert that malicious actors are scraping credit card information from the checkout pages of American companies’ websites.

As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server.

Source

Allegedly, the “unidentified cyber actors” also gained backdoor access to the system of the target by altering two files on the checkout page.

In the past few years, JavaScript-based Magecart card-skimming incidents have been the primary threat to e-commerce websites, and yet PHP code continues to be a significant source of card-skimming activity.

New Moves

In September 2020, the threat actors started attacking US organizations by inserting malicious PHP code into personalized online checkout pages. However, the attackers switched gears earlier this year, employing a distinct PHP feature.

As explained by ZDNet, using a debugging feature, the hackers create a basic backdoor that enables the system to download two webshells onto the US company’s web server, providing backdoors for additional exploitation.

FBI Recommends Mitigation Steps:

Mitigations suggested by the

Read More: https://heimdalsecurity.com/blog/malicious-php-code-used-to-steal-banking-information-fbi-said/