Home News Magecart Group 12 Found Deploying PHP Web Shells to Skim Users’ Payment...

Magecart Group 12 Found Deploying PHP Web Shells to Skim Users’ Payment Information

Magecart attackers have been found distributing PHP web shells, known as Smilodon or Megalodon, disguised as favicon to obtain remote access to the targeted servers.

Patchwork BADNEWS, APT31 threat group

Malicious web shells have been wreaking havoc by enabling remote access, executing arbitrary commands, and controlling servers. It’s a technique mostly used by Magecart threat actors. Recently, security researchers from Malwarebytes found the Magecart Group 12, a cybercriminal gang best known for their attacks on online stores, targeting Magento online stores to pilfer customers’ sensitive information. Magento is an e-commerce platform that allows websites to create their online store. According to the researchers, Magecart attackers have been found distributing malicious PHP web shells, known as Smilodon or Megalodon, disguised as favicon to obtain remote access to the targeted servers.

What is a Web Shell?

A web shell is a malicious script or malware deployed on websites to obtain persistent access to an already compromised site. Attackers usually upload web shells onto a web server after exploiting a vulnerability.

Malicious Web Shells Disguised as Favicons

The attackers used malicious web shells to dynamically load JavaScript skimming code via server-side requests into online stores. The researchers stated that the malware (disguised as favicon) attempts to pass itself as an image/png file and is then injected into compromised websites/online stores by replacing the original icon tags with a path to the fake PNG file.

“This technique is interesting as most client-side security tools will not be able to detect or block the skimmer. There are several ways to load skimming code but the most common one is by calling an external JavaScript resource. When a customer visits an online store, their browser will request a domain hosting the skimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these skimmers using a domain/IP database approach,” Malwarebytes said.

The Modus Operandi of Magecart Attackers

Magecart attackers are linked to several cybercrimes on e-commerce sites. Magecart attack, also known as web skimming or e-skimming, is a form of cybercrime where attackers plant malicious JavaScript code on the payment gateway of online stores to collect users’ payment card information while making purchases on the infected site. The stolen card data is later sold on the dark web or used to make fraudulent purchases.

Recent Magecart Attacks

  • Magecart actors compromised government websites of eight U.S. cities across three states via a card skimming attack. The attack occurred when users making payments on the compromised Click2Gov website.
  • In a massive Magecart campaign, threat actors hacked over 2000 Magento online stores to pilfer users’ financial data.
  • The online store of Claire’s and its sister brand Icing were attacked by Magecart operators last year. Attackers illicitly gained access to the company’s online store by compromising and hiding malicious code in it to collect the payment card information from users.
  • RiskIQ uncovered a new Magecart campaign dubbed “Magecart Group 7” that compromised over 19 e-commerce websites to steal customers’ payment card data.

Web skimming attacks that deploy web shells continue to be a severe threat to e-commerce businesses. Several online stores remain vulnerable with unpatched flaws and outdated content management software (CMS). Online merchants need to update their websites to prevent exfiltration of consumers’ payment information.