Threat actors are constantly using web shells on hacked servers to steal user credit card details obtained from online shop consumers, according to VISA, the global financial services company.
Web shells are programs used by threat actors to acquire and hold access to compromised systems. They can perform commands and arbitrary code remotely, send extra malicious files, or travel side to side in the server.
Visa reported that web shells used to insert JavaScript-based scripts called credit card skimmers have increased over the last year. These scripts enter compromised online retailers in attacks of web skimming, also called as e-Skimming or Magecart.
When installed, the skimmers enable cyber attackers to steal customers' personal information and payment in the infected online stores.
Visa stated that “Throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many eSkimming attacks used web shells to establish a command and control (C2) during the attacks.”
“PFD confirmed at least 45 eSkimming attacks in 2020 using web shells, and security researchers similarly noted increasing web shell use across the wider information security threat landscape,” the company added.
Magecart cybercriminals used web shells to hack online store systems and built a command-and-control system that enabled them to steal user credit card information, as per the VISA PFD.
The cybercriminals exploited loopholes, including unsecured admin networks, outdated eCommerce systems, and vulnerable eCommerce-related applications.
Visa said, “While the above tactics, techniques, and procedures are not an exhaustive list of the various methods and exploits that attackers used in these web shell attacks, they are some of the leading methodologies identified.”
“Identifying tactics, such as the use of web shells, also assists in identifying compromises when eSkimmers are not detected on the merchant website,” Visa added.
The Microsoft Defender Advanced Threat Protection (ATP) team validated VISA's results in February, stating that the number of web shells installed on infected servers has nearly increased twice as much since last year.
From August 2020 to January 2021, the company's security analysts found a total of 140,000 malware tools on compromised servers each month.
Also, Microsoft said that based on data obtained from approximately 46,000 different computers from July to December 2019, it discovered an estimate of 77,000 web shells per month.
According to Visa, "The use of web shells to facilitate eSkimming attacks will likely persist, especially as the restrictions around in-person, brick-and-mortar commerce remain in place as the pandemic continues."
