Η πολυεθνική εταιρεία χρηματοοικονομικών υπηρεσιών VISA προειδοποιεί ότι οι απειλητικοί παράγοντες αναπτύσσουν όλο και περισσότερα Κελύφη Ιστού (web shells) σε παραβιασμένους servers, για την theft πληροφοριών πιστωτικών καρτών από πελάτες διαδικτυακών καταστημάτων.
Throughout the past year, VISA has seen a growing trend of Web Shells, used by fraudsters to infiltrate scripts on compromised servers and target credit cards, also known as credit card web skimmers or digital skimming or e -Skimming or Magecart.
What are Web Shells?
Web Shells are tools (scripts or programs) developed by scammers to gain and / or retain access to compromised servers so that they can remotely execute arbitrary code or commands to move sideways. within a target network or deliver additional malware.
Once installed on a server they enable their owner to interact with the compromised server and gain access to the system files του (filesystem). Τα περισσότερα web shells επιτρέπουν τη μετονομασία, την αντιγραφή, τη μεταmovement even editing or uploading files to the server. And of course they can steal data from the server.
Hackers exploit vulnerabilities in a server's operating system, as well as the web applications that exist on it, to breach and install web shells on it. Web shells can be written in any programming language. This allows hackers to hide them in the code of any site that is uploaded to a server, which makes it difficult to detect them, without at least the help of a web firewall or a web malware scanner.
Usually along with a web shell there is a backdoor script. When attackers succeed and breach a server, they take care to establish their presence as best they can. Along with the web shell, they install a backdoor, so that they can re-infect the server in case the web shell is discovered and removed.
What did VISA see?
The company found one great growth by skimmers γραμμένα σε γλώσσα Javascript, τα οποία μόλις αναπτυχθούν επιτρέπουν στους απατεώνες να κλέψουν την πληρωμή και τα προσωπικά στοιχεία πελατών που υπάρχουν σε διαδικτυακά stores and send them to servers under their control.
VISA found that most of the web shells were used to place Magecart on compromised online store servers. Web shells created a command and control infrastructure that allowed fraudsters to infiltrate credit card information.
Attackers used multiple methods to compromise the servers of online stores, including vulnerabilities in insecure administrative infrastructure, plug-ins of applications related to e-commerce and old, out-of-date e-commerce platforms.
Web Shells are increasingly used in backdoor servers
In February, VISA's findings were confirmed by the Microsoft Defender Advanced Threat Protection (ATP) team, which said the number of web shells deployed on compromised servers had almost doubled from the previous year.
The company's security researchers discovered an average of 140.000 each month such malicious tools on compromised servers, for a period between August 2020 and January 2021
By comparison, Microsoft said in a 2020 report, that it detected an average of 77.000 web shells each month, based on data collected from approximately 46.000 different devices between July and December 2019.
The US National Security Agency (NSA) also warned in a joint report released with the Australian Trademark Office (ASD) in April 2020 of thugs threatening to escalate attacks on vulnerable backdoor servers by developing web shells. .
According to VISA, the use of web shells to facilitate e-Skimming attacks is likely to continue, especially as restrictions on trade and physical presence in stores remain in place in the face of the Covid-19 pandemic.
