Microsoft revealed that card-skimming malware is increasingly employing malicious PHP software on web servers to modify payment sites and circumvent browser safeguards activated by JavaScript code.
According to Microsoft threat analysts, card-skimming malware has changed the approach. Card skimming has been driven over the recent years by the so-called Magecart malware, which uses JavaScript code to inject scripts into checkout sites and transmit malware that grabs and steals credit card information.
According to Microsoft, injecting JavaScript into front-end processes was “very conspicuous” because it might have triggered browser defenses such as Content Security Policy (CSP), which prevents external scripts from loading. Attackers discovered a less noisy method by attacking web servers with malicious PHP scripts. In November 2021, Microsoft found two malicious image files on a Magento-hosted server, one of which was a phony browser favicon. Magento is a well-known e-commerce system.
The images included an embedded PHP script, which did not run on the compromised web server by default. Instead, in order to exclusively target consumers, the PHP script only starts after validating through cookies that the web administrator is not currently signed-in. The PHP script obtained the current page’s URL and searched for the keywords “checkout” and “one page,” which are linked to Magneto’s checkout page.
“The insertion of the PHP script in an image file is interesting because, by default, the web server wouldn’t run the said code. Based on previous similar attacks, we believe that the attacker used a PHP ‘include’ expression to include the image (that contains the PHP code) in the website’s index page, so that it automatically loads at every webpage visit,” Microsoft explained.
Malicious PHP is increasingly being used in card-skimming malware. Last week, the FBI issued a warning about fresh examples of card-skimming cybercriminals infecting US company checkout sites with webshells allowing backdoor remote access to the webserver using malicious PHP. Sucuri observed that PHP skimmers targeting backend web servers were responsible for 41% of new credit card-skimming malware discovered in 2021.
According to Malwarebytes, Magecart Group 12 is spreading new webshell malware that dynamically loads JavaScript, skimming code through server-side requests to online merchants. Malwarebytes’ Jérôme Segura noted that this strategy is intriguing as most client-side security measures will be unable to detect or disable the skimmer. This was a PHP web shell, unlike earlier occurrences where a fake favicon image was used to disguise malicious JavaScript code.
However, malicious JavaScript is still used to skim cards. For example, Microsoft discovered card-skimming malware based on JavaScript impersonating Google Analytics and Meta Pixel (previously Facebook Pixel) scripts. This may lead administrators to believe the scripts are harmless.