The Federal Bureau of Investigations (FBI) has warned that an unknown threat actor is scraping credit card data from the checkout process of US businesses. The campaign targeting the e-commerce industry is leveraging the malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page. Then, the inputted information is forwarded to an actor-controller server that spoofed a legitimate card processing server, according to the FBI. In addition to the card scraping, the actors also established backdoor access into at least one victim’s system via modifying files within the page.
Although JavaScript-based Magecart card skimming attacks have become more prevalent over the past few years, PHP code remains a major source of card skimming activity for cyberattackers. The campaign began targeting US businesses in September of 2020, according to the FBI, but recently changed tactics to use a different PHP function. The threat actors were able to create the backdoor by using a debugging function that allows the system to download two webshells onto the server. The FBI has recommended that e-commerce sites mitigate the risk posed by this campaign by changing the default login credentials on all systems and monitoring accounts.
Read More: FBI says hackers used malicious PHP code to grab credit card data