Hackers use image files with malicious PHP scripts to steal credit card data on e-commerce websites

Microsoft published a report detailing its researchers’ findings on payment card stealing malware, mentioning that threat actors increasingly use malicious PHP scripts to manipulate payment systems and bypass online security mechanisms. This practice is leaving behind the use of Magecart malware and other widely used skimming tools over the last decade.

Magecart relies on JavaScript code to inject scripts into payment web pages and deliver its payload, intercepting the cards’ details and sending them to threat actors. Although practical, this attack method draws too much attention, so hackers started thinking about more discreet but equally functional techniques.

In late 2021, Microsoft experts found two malicious image files, including a fake browser favicon, loaded on a server hosted on the e-commerce platform Magento. According to the report, these images contained an embedded PHP script whose default settings prevented it from running on the affected web server.

The script only runs after checking the browser cookies to verify that the web administrator is not logged in, so it is aimed only at buyers, as seen by Microsoft researchers.

After running the PHP script, the URL of the current page is retrieved, and the script searches for the keywords “checkout” and “one page,” two concepts assigned to the Magneto payment page. Researchers believe that hackers behind attacks like this employ a PHP expression ‘include’ to deliver the image loaded with malicious code, getting it to load automatically on every visit to a compromised website.

Hacking campaigns like this have contributed to the considerable increase in the use of malicious PHP to steal payment cards. In recent days, authorities in the U.S. issued an alert related to the injection of webshells for remote access to hundreds of e-commerce platforms.

It doesn’t mean that malicious JavaScript code is deprecated. The researchers also discovered examples of malware based on the use of fake JavaScript code from Google Analytics and Meta Pixel; this allows e-commerce platform administrators to be fooled, as they are given malicious code that looks legitimate.   

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.