Malicious web shells have been wreaking havoc by enabling remote access, executing arbitrary commands, and controlling servers. It’s a technique mostly used by Magecart threat actors. Recently, security researchers from Malwarebytes found the Magecart Group 12, a cybercriminal gang best known for their attacks on online stores, targeting Magento online stores to pilfer customers’ sensitive information. Magento is an e-commerce platform that allows websites to create their online store. According to the researchers, Magecart attackers have been found distributing malicious PHP web shells, known as Smilodon or Megalodon, disguised as favicon to obtain remote access to the targeted servers.
What is a Web Shell?
A web shell is a malicious script or malware deployed on websites to obtain persistent access to an already compromised site. Attackers usually upload web shells onto a web server after exploiting a vulnerability.
Malicious Web Shells Disguised as Favicons
The Modus Operandi of Magecart Attackers
Recent Magecart Attacks
- Magecart actors compromised government websites of eight U.S. cities across three states via a card skimming attack. The attack occurred when users making payments on the compromised Click2Gov website.
- In a massive Magecart campaign, threat actors hacked over 2000 Magento online stores to pilfer users’ financial data.
- The online store of Claire’s and its sister brand Icing were attacked by Magecart operators last year. Attackers illicitly gained access to the company’s online store by compromising and hiding malicious code in it to collect the payment card information from users.
- RiskIQ uncovered a new Magecart campaign dubbed “Magecart Group 7” that compromised over 19 e-commerce websites to steal customers’ payment card data.
Web skimming attacks that deploy web shells continue to be a severe threat to e-commerce businesses. Several online stores remain vulnerable with unpatched flaws and outdated content management software (CMS). Online merchants need to update their websites to prevent exfiltration of consumers’ payment information.