FBI FLASH # MC-000170-MW details how cyber actors have been observed scraping credit card data from US business’ online checkout pages and maintaining persistence by injecting malicious PHP code.
Summary
As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server. The unidentified cyber actors also established backdoor access to the victim’s system by modifying two files within the checkout page. The FBI has identified and is sharing new indicators of compromise (IOCs), which may assist in network defense.
Recommended Mitigations:
Update and patch all systems, to include operating systems, software, and any third party code running as part of your website.
Change default login credentials on all systems.
Monitor requests performed against your e-commerce environment to identify possible malicious activity.
Segregate and segment network systems to limit how easily cyber criminals can move from one to another.
Secure all websites transferring sensitive information by using secure socket layer (SSL) protocol.
Install third-party software/hardware from trusted sources. Coordinate with the manufacturer to ensure their security protocols prevent unauthorized access to data they store and/or process.
Patch all systems for critical vulnerabilities, prioritizing timely patching of internet connected servers for known vulnerabilities and software processing internet data, such as web browsers, browser plugins, and document readers.
Actively scan and monitor web logs and web applications for unauthorized access, modification, and anomalous activities.
Strengthen credential requirements and implement multifactor authentication to protect individual accounts.
Conduct regular backups to reduce recovery time in the event of a compromise or cyber intrusion.
Maintain an updated Incident Response Plan addressing cyber threat response.
Experts with Cyvatar and Shared Assessments offer comments:
Dave Cundiff, (he/him), CISO, Cyvatar:
“Continually verifying and monitoring an organizations fundamental cybersecurity is a requirement these days. If the fundamentals of an organization’s security are not strong, then the additional complexity of any additional security is useless. Almost all of the attacks or compromises we have been tracking over the last couple of years could have been prevented or at least had the impact greatly reduced by following the basic hygiene approach of fundamental security. Patching systems, changing default passwords, reducing overlap in system communication, these principals of cybersecurity have been around for decades. It is more and more critical to not get distracted by flashy sales pitches and focus on making sure your organization’s fundamental security is solid before moving to more advanced mitigations.”
Ron Bradley, VP, Shared Assessments:
“File Integrity Monitoring (FIM) If you're running a web site, especially one which transacts funds, and if you don't have FIM implemented, I don't want to shop there. Furthermore, you're going to get pummeled by bad actors because you don't have your house in order.
“It's a well-known fact credit card data has always been one of the crown jewels for fraudsters. It's fascinating to me when a business has card data compromised while battle tested measures could easily have been put in place. Understanding the technical controls your organization and associated nth parties have in place to defend against fundamental attacks is an imperative in the world of ecommerce.”
###