Microsoft in November 2021 found two malicious image files, including one fake browser favicon, being uploaded to a Magento-hosted server. Magento is a popular e-commerce platform.
The images contained embedded PHP script, which by default didn’t run on the affected web server. Instead, the PHP script only runs after confirming, via cookies, that the web admin is not currently signed-in, in order to only target shoppers.
Once the PHP script was run, it retrieved the current page’s URL and looked for “checkout” and “one page”, two keywords that are mapped to Magneto’s checkout page.
“The insertion of the PHP script in an image file is interesting because, by default, the web server wouldn’t run the said code. Based on previous similar attacks, we believe that the attacker used a PHP ‘include’ expression to include the image (that contains the PHP code) in the website’s index page, so that it automatically loads at every webpage visit,” Microsoft explained.
There has been a rise in the use of malicious PHP in card-skimming malware. The FBI last week warned of new cases of card-skimming attackers using malicious PHP to infect US business’ checkout pages with webshells for backdoor remote access to the web server. Security firm Sucuri found that 41% of new credit card-skimming malware observed in 2021 was related to PHP skimmers targeting backend web servers.
“This technique is interesting as most client-side security tools will not be able to detect or block the skimmer,” Malwarebytes’ Jérôme Segura noted.