Attackers are manipulating e-commerce checkout websites and capturing payment card information by utilising picture files with a concealed malicious PHP script. According to Microsoft, card-skimming malware is increasingly employing malicious PHP scripts on web servers to modify payment sites and circumvent browser safeguards activated by JavaScript code.
Card-skimming malware has changed its approach, according to Microsoft threat analysts. Card skimming has been dominated over the past decade by the so-called Magecart malware, which uses JavaScript code to inject scripts into checkout pages and transmit malware that grabs and steals payment card information.
Injecting JavaScript into front-end processes was very conspicuous, according to Microsoft, because it might have triggered browser defences such as Content Security Policy (CSP), which prevents external scripts from loading.
By attacking web servers with malicious PHP scripts, attackers discovered a less noisy method. In November 2021, Microsoft discovered two malicious image files on a Magento-hosted server, one of which was a fake browser favicon. Magento is a well-known e-commerce system.
The images included an embedded PHP script, which did not run on the compromised web server by default. Instead, in order to only target shoppers, the PHP script only starts after validating via cookies that the web admin is not currently signed-in.
The PHP script obtained the current page's URL and looked for the keywords "checkout" and "one page," which are linked to Magneto's checkout page.
"The insertion of the PHP script in an image file is interesting because, by default, the webserver wouldn't run the said code. Based on previous similar attacks, we believe that the attacker used a PHP 'include' expression to include the image (that contains the PHP code) in the website's index page, so that it automatically loads at every webpage visit," Microsoft explained.
Malicious PHP is increasingly being used in card-skimming malware. Last week, the FBI issued a warning about new examples of card-skimming attackers infecting US business checkout sites with web shells for backdoor remote access to the webserver using malicious PHP. Sucuri discovered that PHP skimmers targeting backend web servers were responsible for 41% of new credit card-skimming malware discovered in 2021. Magecart Group 12 is distributing new web shell malware, according to Malwarebytes, that dynamically loads JavaScript skimming code via server-side requests to online merchants.
Malwarebytes' Jérôme Segura noted, "This technique is interesting as most client-side security tools will not be able to detect or block the skimmer. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell."
However, dangerous JavaScript is still used to skim cards. Card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (previously Facebook Pixel) scripts, for example, was discovered by Microsoft.
