FBI Flash TLP White: Cyber Actors Scrape Credit Card Data from US Business Online Checkout Page

The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber actors. This FLASH was coordinated with DHS/CISA.

This FLASH has been released TLP:WHITE

WE NEED YOUR HELP! If you identify any suspicious activity within your enterprise or have related information, please contact your local FBI Cyber Squad immediately with respect to the procedures outlined in the Reporting Notice section of this message.

*Note: By reporting any related information to FBI Cyber Squads, you are assisting in sharing information that allows the FBI to track malicious actors and coordinate with private industry and the United States Government to prevent future intrusions and attacks.

Summary

As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server. The unidentified cyber actors also established backdoor access to the victim’s system by modifying two files within the checkout page. The FBI has identified and is sharing new indicators of compromise (IOCs), which may assist in network defense.

Technical Details

Unidentified cyber actors began targeting a US business in September 2020 from three Internet protocol (IP) addresses: 80.249.207.19, 80.82.64.211, and 80.249.206.197. The actors inserted malicious PHP code into the business’s customized online checkout page, checkout.php, by altering the associated TempOrders.php file. The checkout page was modified with the following include()statement: