The images included an embedded PHP script, which did not run on the compromised web server by default. Instead, in order to exclusively target consumers, the PHP script only starts after validating through cookies that the web administrator is not currently signed-in. The PHP script obtained the current page’s URL and searched for the keywords “checkout” and “one page,” which are linked to Magneto’s checkout page.
“The insertion of the PHP script in an image file is interesting because, by default, the web server wouldn’t run the said code. Based on previous similar attacks, we believe that the attacker used a PHP ‘include’ expression to include the image (that contains the PHP code) in the website’s index page, so that it automatically loads at every webpage visit,” Microsoft explained.
Malicious PHP is increasingly being used in card-skimming malware. Last week, the FBI issued a warning about fresh examples of card-skimming cybercriminals infecting US company checkout sites with webshells allowing backdoor remote access to the webserver using malicious PHP. Sucuri observed that PHP skimmers targeting backend web servers were responsible for 41% of new credit card-skimming malware discovered in 2021.