FBI: E-Tailers, Beware Web Injections for Scraping Credit-Card Data, Backdoors

Law enforcement is warning about a wave of Web injection attacks on US online retailers that are successfully stealing credit-card information from online checkout pages.

Hands on computer with online shopping cart image to illustrate online retail
Source: Skorzewiak via Alamy

Cyberattackers are targeting US online businesses by injecting malicious PHP code into e-commerce checkout pages and exfiltrating scraped data to a command-and-control (C2) server spoofed to look like a legitimate credit-card processor.

That's according to a flash alert from the FBI issued this week, which detailed one attack in particular that began in September 2020. Along with scraping credit-card data, the cybercriminals were modifying the business checkout page code to gain backdoor access to the business' system. The FBI provided indicators of compromise and recommended mitigations for similar e-tailers, including patching and ongoing monitoring of e-commerce environments. 

Businesses Should Take Alert 'Seriously'
Cyvatar CISO Dave Cundiff explained in an emailed reaction to the alert that basic cybersecurity hygiene and monitoring would be enough to fend off this sort of attack. 

"Continually verifying and monitoring an organization's fundamental cybersecurity is a requirement these days," Cundiff said. "If the fundamentals of an organization’s security are not strong, then the additional complexity of any additional security is useless." 

US businesses should take this alert seriously, according to Kunal Modasiya, senior director of product management at PerimeterX,.

"Given the risks of supply-chain attacks in general, it is important that businesses look beyond server-side security tools, such as static code analysis, external scanners, and the limitations of CSP to solutions," Modasiya says. 

Ron Bradley, vice president of Shared Assessments, meanwhile notes that organizations dealing with credit-card data, which he called "one of the crown jewels for fraudsters," should have technical controls like file integrity monitoring (FIM) in place.

"If you're running a website, especially one which transacts funds, and if you don't have FIM implemented, I don't want to shop there," Bradley said. "Furthermore, you're going to get pummeled by bad actors because you don't have your house in order."

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights