Microsoft published a report detailing its researchers’ findings on payment card stealing malware, mentioning that threat actors increasingly use malicious PHP scripts to manipulate payment systems and bypass online security mechanisms. This practice is leaving behind the use of Magecart malware and other widely used skimming tools over the last decade.
In late 2021, Microsoft experts found two malicious image files, including a fake browser favicon, loaded on a server hosted on the e-commerce platform Magento. According to the report, these images contained an embedded PHP script whose default settings prevented it from running on the affected web server.
The script only runs after checking the browser cookies to verify that the web administrator is not logged in, so it is aimed only at buyers, as seen by Microsoft researchers.
After running the PHP script, the URL of the current page is retrieved, and the script searches for the keywords “checkout” and “one page,” two concepts assigned to the Magneto payment page. Researchers believe that hackers behind attacks like this employ a PHP expression ‘include’ to deliver the image loaded with malicious code, getting it to load automatically on every visit to a compromised website.
Hacking campaigns like this have contributed to the considerable increase in the use of malicious PHP to steal payment cards. In recent days, authorities in the U.S. issued an alert related to the injection of webshells for remote access to hundreds of e-commerce platforms.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.