VISA: Hackers are increasingly using Web Shells to steal credit cards
The multinational financial services company VISA warns that threatening agents are increasingly developing web shells on compromised servers to steal credit card information from online store customers.
Throughout the past year, VISA has seen a growing trend of Web Shells, used by fraudsters to infiltrate scripts on compromised servers and target credit cards, also known as credit card web skimmers or digital skimming or e -Skimming or Magecart.
What are Web Shells?
Web Shells are tools (scripts or programs) developed by scammers to gain and / or retain access to compromised servers so that they can remotely execute arbitrary code or commands to move sideways. within a target network or deliver additional malware.
Once installed on a server they enable their owner to interact with the compromised server and gain access to its filesystem. Most web shells allow you to rename, copy, move and even edit or upload files to the server. And of course they can steal data from the server.
Hackers exploit vulnerabilities in a server's operating system, as well as the web applications that exist on it, to breach and install web shells on it. Web shells can be written in any programming language. This allows hackers to hide them in the code of any site that is uploaded to a server, which makes it difficult to detect them, without at least the help of a web firewall or a web malware scanner.
Usually along with a web shell there is a backdoor script. When attackers succeed and breach a server, they take care to establish their presence as best they can. Along with the web shell, they install a backdoor, so that they can re-infect the server in case the web shell is discovered and removed.
What did VISA see?
VISA found that most of the web shells were used to place Magecart on compromised online store servers. Web shells created a command and control infrastructure that allowed fraudsters to infiltrate credit card information.
Intruders have used multiple methods to hack online store servers, including vulnerabilities in insecure administrative infrastructure, add-ons for e-commerce-related applications, and outdated, uninformed e-commerce platforms.
Web Shells are increasingly used in backdoor servers
In February, VISA's findings were confirmed by the Microsoft Defender Advanced Threat Protection (ATP) team, which said the number of web shells deployed on compromised servers had almost doubled from the previous year.
The company's security researchers discovered an average of 140.000 each month such malicious tools on compromised servers, for a period between August 2020 and January 2021
By comparison, Microsoft said in a 2020 report, that it detected an average of 77.000 web shells each month, based on data collected from approximately 46.000 different devices between July and December 2019.
The US National Security Agency (NSA) also warned in a joint report released with the Australian Trademark Office (ASD) in April 2020 of thugs threatening to escalate attacks on vulnerable backdoor servers by developing web shells. .
According to VISA, the use of web shells to facilitate e-Skimming attacks is likely to continue, especially as restrictions on trade and physical presence in stores remain in place in the face of the Covid-19 pandemic.