As of January 2022, unidentified cyber actors unlawfully scraped credit card data from a US business by injecting malicious PHP Hypertext Preprocessor (PHP) code into the business’ online checkout page and sending the scraped data to an actor-controlled server that spoofed a legitimate card processing server.
The unidentified cyber actors also established backdoor access to the victim’s system by modifying two files within the checkout page. The FBI has identified and is sharing new indicators of compromise (IOCs), which may assist in network defense.
Unidentified cyber actors began targeting a US business in September 2020 from three Internet protocol (IP) addresses: 220.127.116.11, 18.104.22.168, and 22.214.171.124. The actors inserted malicious PHP code into the business’s customized online checkout page, checkout.php, by altering the associated TempOrders.php file. The checkout page was modified with the following include()statement:
Source: U.S. Federal Bureau of Investigation Cyber Division