The multinational financial services company VISA warns that threatening agents are increasingly developing web shells on compromised servers to steal credit card information from online store customers.
Throughout the past year, VISA has seen a growing trend of Web Shells, used by fraudsters to infiltrate scripts on compromised servers and target credit cards, also known as credit card web skimmers or digital skimming or e -Skimming or Magecart.
What are Web Shells?
Web Shells are tools (scripts or programs) that are deployed by crooks to gain and/or maintain access to compromised servers so they can remotely execute arbitrary code or commands, move laterally within a target's network, or deliver additional malware.
Once installed on a server they enable their owner to interact with the compromised server and gain access to its filesystem. Most web shells allow you to rename, copy, move and even edit or upload files to the server. And of course they can steal data from the server.
Hackers take advantage of vulnerabilities in a server's operating system, as well as the web applications that exist on it, to breach and install web shells on it. Web shells can be written in any programming language. This allows hackers to hide them in the code of any site that is uploaded to a server, making them difficult to detect, without at least the help of a web firewall or web malware. scanner.
Usually along with a web shell there is a backdoor script. When attackers succeed and breach a server, they take care to establish their presence as best they can. Along with the web shell, they install a backdoor, so that they can re-infect the server in case the web shell is discovered and removed.
What did VISA see?
The company found one great growth by skimmers written in Javascript language, which once developed allow fraudsters to steal payment and personal customer information available in online stores and send it to servers under their control.
VISA found that most of the web shells were used to place Magecart on compromised online store servers. Web shells created a command and control infrastructure that allowed fraudsters to infiltrate credit card information.
Intruders have used multiple methods to hack online store servers, including vulnerabilities in insecure administrative infrastructure, add-ons for e-commerce-related applications, and outdated, uninformed e-commerce platforms.
Web Shells are increasingly used in backdoor servers
In February, VISA's findings were confirmed by the Microsoft Defender Advanced Threat Protection (ATP) team, which said the number of web shells deployed on compromised servers had almost doubled from the previous year.
Investigators better safetyof the company discovered an average of 140.000 each month such malicious tools on compromised servers, for one space between August 2020 to January 2021
By comparison, Microsoft said in a 2020 report, that it detected an average of 77.000 web shells each month, based on data collected from approximately 46.000 different devices between July and December 2019.
The US National Security Agency (NSA) also warned in a joint report issued with the Australian Signals Directorate (ASD) in April 2020 of criminals threatening to escalate attacks them on vulnerable backdoor servers, by deploying web shells.
According to VISA, the use of web shells to facilitate e-Skimming attacks is likely to continue, especially as restrictions on trade and physical presence in stores remain in place in the face of the Covid-19 pandemic.
