"Microsoft: Credit Card Skimmers Are Changing Their Tactics to Remain Undetected"
According to Microsoft, card-skimming malware is increasingly using malicious PHP software on web servers to modify payment sites and avoid browser safeguards activated by JavaScript code. Card skimming has been fueled in recent years by Magecart malware that uses JavaScript code to inject scripts into checkout sites and transmit malware that captures and steals credit card information. Injecting JavaScript into front-end processes was "very conspicuous," according to Microsoft, because it may have triggered browser defenses like Content Security Policy (CSP), which prohibits external scripts from loading. By attacking web servers with malicious PHP scripts, malicious actors identified a less noisy technique. Microsoft discovered two malicious image files on a Magento-hosted server in November 2021, one of which was a fake browser favicon. The images contained an embedded PHP script, which did not run by default on the compromised web server. Instead, in order to target customers, the PHP script only begins once cookies validate that the web administrator is not currently signed in. The PHP script got the URL of the current page and searched for the keywords "checkout" and "one page," which are connected to Magneto's checkout page. The FBI recently issued a warning about new incidents of card-skimming cybercriminals infecting US corporate checkout sites with web shells that allow backdoor remote access to the web server via malicious PHP. According to Sucuri, PHP skimmers targeting backend web servers accounted for 41 percent of new credit card-skimming malware found in 2021. This article continues to discuss observations surrounding credit-skimming cybercriminals' tactics.