Multinational financial services company VISA warns that threat actors are increasingly deploying web shells on compromised servers to theft credit card information from online store customers.
Throughout the past year, VISA has observed a growing trend of Web Shells, which are used by fraudsters to inject scripts into compromised servers and aim to credit cards, also known as credit card web skimmers or digital skimming or e-Skimming or Magecart.
What are Web Shells?
Web Shells are tools (scripts or programs) developed by scammers to gain and / or retain access to compromised servers so that they can remotely execute arbitrary code or commands to move sideways. within a target network or deliver additional malware.
Once installed on a server they enable their owner to interact with the compromised server and gain access to its filesystem. Most web shells allow you to rename, copy, move and even edit or upload files to the server. And of course they can steal data from the server.
Hackers take advantage of vulnerabilities in a server's operating system, as well as the web applications that exist on it, to breach and install web shells on it. Web shells can be written in any programming language. This allows hackers to hide them in the code of any site that is uploaded to a server, making them difficult to detect, without at least the help of a web firewall or a web malware scanner.
Usually along with a web shell there is a backdoor script. When attackers succeed and breach a server, they take care to establish their presence as best they can. Along with the web shell, they install a backdoor, so that they can re-infect the server in case the web shell is discovered and removed.
What did VISA see?
The company found one great growth by skimmers written in Javascript language, which once developed allow fraudsters to steal payment and personal customer information available in online stores and send it to servers under their control.
VISA found that most of the web shells were used to place Magecart on compromised online store servers. Web shells created a command and control infrastructure that allowed fraudsters to infiltrate credit card information.
Intruders have used multiple methods to hack online store servers, including vulnerabilities in insecure administrative infrastructure, add-ons for e-commerce-related applications, and outdated, uninformed e-commerce platforms.
Web Shells are increasingly used in backdoor servers
In February, VISA's findings were confirmed by the team Microsoft Defender Advanced Threat Protection (ATP), which stated that the number of web shells deployed on compromised servers has almost doubled since last year.
The company's security researchers discovered an average of 140.000 each month such malicious tools on compromised servers, for a period between August 2020 and January 2021
By comparison, Microsoft said in a 2020 report, that detected an average of 77.000 web shells each month, with base data collected from approximately 46.000 different devices between July and December 2019.
The US National Security Agency (NSA) also warned in a joint report released with the Australian Trademark Office (ASD) in April 2020 of thugs threatening to escalate attacks on vulnerable backdoor servers by developing web shells. .
According to VISA, the use of web shells to facilitate e-Skimming attacks is likely to continue, especially as restrictions on trade and physical presence in stores remain in place in the face of the Covid-19 pandemic.
