A group of hackers, known as Magecart Group 12, who has been known to target online shops and e-commerce websites, has now added malicious PHP web shells masked as favicons to their arsenal, Malwarebytes reports.
Researchers say many e-commerce shops are vulnerable to these attacks because their owners have not upgraded their content management software (CMS) for a long time.
The hacker group uses web shells to maintain remote access to the targeted servers. Once the online shopping platform is compromised, they inject JavaScript skimmers in order to steal financial information, according to a researcher from Malwarebytes.
Attackers use malicious PHP web shells Megalodon or Smilodon to “dynamically load JavaScript skimming code with server-side requests into online stores.”
The PHP-based web shell malware is masked as a favicon and hidden into the targeted sites with a path. The web shell can obtain the next-stage payload from a remote location. After which attackers use a credit card skimmer that is similar to variants used in Cardbleed attacks.
Unlike before, in the recent attacks, the injected skimmers make a server-side request to a malicious domain hosting a JavaScript resource.
In such attacks, known as formjacking, a JavaScript skimmer code is stealthily inserted in one or multiple e-commerce stores.
Magecart attacks are becoming more common and have targeted several online platforms around the world in the past few months. Last month, VISA reported Magecart attacks during which attackers injected JavaScript-based credit card skimmers via web shells into online stores. In February, BeepingComputer reported about Magecart attacks in which threat actors abuses Google’s Apps Script business app development platform and stole credit card information.
Skimming attacks has become a lucrative business for cyber criminals recently. Organizations are advised to implement protective measures that are geared toward detecting and stopping skimming attacks.