Visa, a global payment processor has warned that hackers are on the rise in deploying web shells in infected servers to steal credit card information from online customers. Web Shells are used by hackers to infiltrate into compromised, deploy remote execute arbitrary commands or codes, traverse secretly within victim’s compromised network, or attach payload. VISA has witnessed an increase in the use of web shells to deploy java-script-based files termed as credit card skimming into breached online platforms in digital skimming
If successful, the skimmers allow the hackers to extradite payment information, and personal data posted by breached online platform customers and then transfer it to their controlled severs. According to VISA, “throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many e-skimming attacks used web shells to establish a command and control (C2)during the attacks. PFD confirmed at least 45 eskimming attacks in 2020 using web shells, and security researchers similarly noted increasing web shell use across the wider information security threat landscape.”
As per VISA PFD findings, most Magecart hackers used web shells to plant backdoors in compromised online store servers and build a c2c infrastructure which lets the hackers steal the credit card information. The hackers used various approaches to hack the online shops’ servers, exploiting vulnerabilities in unsafe infrastructure, apps/website plugins related to e-commerce, and unpatched/out-of-date e-commerce websites.
The company’s security researchers discovered an average of 140,000 such malicious tools on hacked servers every month, between August 2020 to January 2021,. “In comparison, Microsoft said in a 2020 report that it detected an average of 77,000 web shells each month, based on data collected from roughly 46,000 distinct devices between July and December 2019,” .