Cyberattackers are targeting US online businesses by injecting malicious PHP code into e-commerce payment pages and exfiltrating the extracted data to a command-and-control (C2) server spoofed to look like a legitimate credit card processor .
It is according to a flash alert from the FBI published this week, which details one attack in particular that began in September 2020. In addition to deleting credit card data, the cybercriminals were modifying the company’s payment page code to gain backdoor access to the company system. The FBI has provided indicators of compromise and recommended mitigations for similar e-merchants, including patches and ongoing monitoring of e-commerce environments.
Companies should take whistleblowing “seriously”
Cyvatar CISO Dave Cundiff explained in an email reaction to the alert that basic cybersecurity hygiene and monitoring would be enough to repel this type of attack.
“Continuous auditing and monitoring of an organization’s fundamental cybersecurity is a requirement these days,” Cundiff said. “If an organization’s security fundamentals aren’t strong, then the added complexity of any additional security is unnecessary.”
U.S. companies should take this alert seriously, according to Kunal Modasiya, senior director of product management at PerimeterX.
“Given the risks of supply chain attacks in general, it is important for companies to look beyond server-side security tools, such as static code analysis, external scanners and the limitations of CSP to solutions,” says Modasiya.
Ron Bradley, vice president of Shared Assessments, notes that organizations handling credit card data, which he called “one of the crown jewels for fraudsters,” should put in place technical controls such as File Integrity Monitoring (FIM).
“If you run a website, especially one that transacts funds, and you haven’t implemented FIM, I don’t want to shop there,” Bradley said. “Plus, you’re going to get beaten up by bad actors because you don’t have your house in order.”