Security researchers discovered that attackers are also deploying a Linux backdoor on compromised e-commerce servers after injecting a credit card skimmer into online shops’ websites.
The PHP-coded web skimmer (a script designed to steal and exfiltrate customers’ payment and personal info) is added and camouflaged as a .JPG image file in the /app/design/frontend/ folder.
The attackers use this script to download and inject fake payment forms on checkout pages displayed to customers by the hacked online shop.
We found that the attacker started with automated eCommerce attack probes, testing for dozens of weaknesses in common online store platforms, the Sansec Threat Research Team revealed.