FLASH # MC-000170-MW details how cyber actors have been observed scraping credit card data from US business’ online checkout pages and maintaining persistence by injecting malicious PHP code.
As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server. The unidentified cyber actors also established backdoor access to the victim’s system by modifying two files within the checkout page. The FBI has identified and is sharing new indicators of compromise (IOCs), which may assist in network defense.
- Update and patch all systems, to include operating systems, software, and any third party code running as part of your website.
- Change default login credentials on all systems.
- Monitor requests performed against your e-commerce environment to identify possible malicious activity.
- Segregate and segment network systems to limit how easily cyber criminals can move from one to another.
- Secure all websites transferring sensitive information by using secure socket layer (SSL) protocol.
- Install third-party software/hardware from trusted sources. Coordinate with the manufacturer to ensure their security protocols prevent unauthorized access to data they store and/or process.
- Patch all systems for critical vulnerabilities, prioritizing timely patching of internet connected servers for known vulnerabilities and software processing internet data, such as web browsers, browser plugins, and document readers.
- Actively scan and monitor web logs and web applications for unauthorized access, modification, and anomalous activities.
- Strengthen credential requirements and implement multifactor authentication to protect individual accounts.
- Conduct regular backups to reduce recovery time in the event of a compromise or cyber intrusion.
- Maintain an updated Incident Response Plan addressing cyber threat response.