back to article How these crooks backdoor online shops and siphon victims' credit card info

The FBI and its friends have warned businesses of crooks scraping people's credit-card details from tampered payment pages on compromised websites. It's an age-old problem: someone breaks into your online store and alters the code so that as your customers enter their info, copies of their data is siphoned to fraudsters to …

  1. Mike 137 Silver badge

    Ah, but how?

    From the report: "As of January 2022, the unidentified cyber actors used the require_once() function to call and execute the TempOrders.php file"

    The key (and entirely unanswered) question is how they got to the point where they could modify the PHP code. That suggests a serious deficiency in server security to start with. Increasingly, breach reports seem to gloss over the initial penetration vector, which is of course the most important factor almost every time.

    1. Little Mouse Silver badge

      Re: Ah, but how?

      A serious deficiency in security is certainly implied.

      The FBI's recommendations for being "less of an easy target" include patching regularly, changing default credentials, etc, suggesting that some online businesses are still completely unaware of the basics.

      1. AlexFillman

        Re: Ah, but how?

        My website https://campinglifegear.com/ has also been affected by cybercriminals. So much work went to nothing( But I'm not discouraged and I'm moving on!

    2. Pomgolian
      FAIL

      Re: Ah, but how?

      Bang on. Unless you have a heads up on how the site was compromised in the first place, removing the affected code is useless because it'll be back again by morning.

      Does this affect all shopping cart systems or is it specific to a particular code base? Magento anyone? Asking for a friend.

  2. Boolian

    Mitigate to accumulate

    I assume all online shopping sites are compromised (can be, or will be) I would have thought by now, most only use Virtual Cards for online purchases - but no, apparently not.

    Certainly, if I was currently running an online shop, it would include a hefty recommendation to my customer base to use them.

    All banks should offer such a service by default, but not all do (vanishingly few and by request only) nor are they all engaged in an information campaign to encourage the practice - hence the rise of FinTech services.

    So, all we can do is attempt to mitigate individually. Of course the argument is that even 'virtual' cards and accounds (and the Banks and FinTechs operating them) are equally likely to be compromised. What can you do? Really only try as best you can, with the tools available.

    Use a seperate debit card/virtual account only for online purchases, load it only with the amount required at point of purchase and generate a 'one-time' virtual card form that.

    Is that process convenient? Nah not the most convenient really, but less inconvenient than having your bank details hoovered as a matter of course and stored in plaintext.

    At best you lose that dosh only. At worst the Bank and/or FinTech offering such a service is compromised and all your dosh disappears anyway, but you might have some redress at least.

    Yes, I am aware of a particular FinTech notoriously 'freezing' 'virtual' accounts with large balances in them, without apparent redress (or timely redress) That's not really best mitigating practice though - holding a large 'float' - that's convenience and security is inconvenient.

    Security is hard, compromise is assured, mitigation is all we have.

    1. Martha2030

      Re: Mitigate to accumulate

      Oh yeah that’s true. Great article

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022