Visa Describes New Skimming Attack TacticsCybercriminals Using Web Shells to Control Retailers' Servers
Visa's Payment Fraud Disruption team reports that cybercriminals are increasingly using web shells to establish command and control over retailers' servers during payment card skimming attacks.
"As a result, eSkimming, or digital skimming, is among the top threats to the payments ecosystem," according to the Visa report.
The web shells enable fraudsters conducting digital skimming attacks on e-commerce sites to establish and maintain access to compromised servers, deploy additional malicious files and payloads, facilitate lateral movement within a victim's network and remotely execute commands, Visa says.
The most common methods for deploying a web shell are malicious application plug-ins and PHP code, Visa reports.
Visa reached its conclusions after studying 45 digital skimming attacks in 2020. In February, Microsoft reported spotting 140,000 web shells per month on servers from August 2020 to January 2021, which it said is almost twice the number from the same period the year before. These web shells, however, were not being used for retail attacks.
Visa notes attacks skimming payment card data from online checkout functions of e-commerce sites have become more prevalent during the COVID-19 pandemic as consumers have shifted to online shopping.
Visa offered several examples of ways attackers gain initial entry and then deploy a web shell on an ecommerce site.
For example, in one case, a merchant's administrative database credentials were stored in clear text and hard-coded into database-related PHP files. So the attackers were able to gain relatively easy access to the credentials necessary to deploy the web shells and gain root access to the database and web servers, Visa says.
In another case, the attackers obtained the administrative credentials to a company's "jump box," a secure computer that administrators use to gain entry to their network. This enabled the attackers to enter the e-commerce system and implant the web shell.
Using plug-ins that integrate into a merchant's commerce platform is another common method that attackers launching skimming attacks use, the report notes.
"In one incident, actors modified the code of a legitimate file related to a plug-in for the content management system that was used to build the merchant's website," Visa reports. "The modifications injected malicious code into this plug-in that provided the actors with administrative privileges to the e-commerce environment."
In another case, the attackers exploited a vulnerability in a plug-in integrated into the merchant's website via a third-party service provider, the report notes.
Visa's investigation also determined that many retailers' e-commerce sites were running Adobe's Magento V.1, which reached end-of-life status in mid-2020 and is no longer being supported.
Visa offered a list of security recommendations to help thwart skimming attacks and other threats. Those include:
- Enforce effective identity access management practices and ensure administrative panels and other privileged access methods are properly secured and not publicly accessible.
- Ensure familiarity and vigilance with code integrated into e-commerce environments via service providers by reviewing and validating the code and updates, and closely vet content delivery networks and other third-party resources.
- Regularly ensure that online shopping carts, other services and all e-commerce software are upgraded or patched to the latest versions.
- Regularly scan and test e-commerce sites for vulnerabilities or malware.
- Log e-commerce environment network activity and regularly review for unusual, suspicious activity.
- Implement network segmentation to prevent threat actor movement and ensure the cardholder data environment is sufficiently protected.