Microsoft threat researchers have observed a change in tactics used by card-skimming malware. Over the past decade, card skimming has been dominated by so-called Magecart malware that relies on JavaScript code to inject scripts into checkout pages and deliver malware that captures and steals payment card details. Injecting JavaScript into front-end processes was “very conspicuous”, Microsoft notes, because it might have triggered browser protections like Content Security Policy (CSP) that stop external scripts from loading. Attackers found less noisy techniques by targeting web servers with malicious PHP scripts. SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systems Microsoft in November 2021 found two malicious image files, including one fake browser favicon, being uploaded to a Magento-hosted server. Magento is a popular e-commerce platform. The images contained embedded PHP script, which by default didn’t run on the affected web server. Instead, the PHP script only runs after confirming, via cookies, that the web admin is not currently signed-in, in order to only target shoppers. Once the PHP script was run, it retrieved the current page’s URL and looked for “checkout” and “one page”, two keywords that are mapped to Magneto’s checkout page. “The insertion of the PHP script in an image file is interesting because, by default, the web server wouldn’t run the said code. Based on previous similar attacks, we believe that the attacker used a PHP ‘include’ expression to include the image (that contains the PHP code) in the website’s index page, so that it automatically loads at every webpage visit,” Microsoft explained. There has been a rise in the use of malicious PHP in card-skimming malware. The FBI last week warned of new cases of card-skimming attackers using malicious PHP to infect US business’ checkout pages with webshells for backdoor remote access to the web server. Security firm Sucuri found that 41% of new credit card-skimming malware observed in 2021 was related to PHP skimmers targeting backend web servers. Malwarebytes earlier this month said Magecart Group 12 was distributing new webshell malware that dynamically loads JavaScript skimming code via server-side requests to online stores. “This technique is interesting as most client-side security tools will not be able to detect or block the skimmer,” Malwarebytes’ Jérôme Segura noted. “Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell.” But malicious JavaScript remains part of the card-skimming game. For example, Microsoft found examples of card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. This can trick admins into thinking the scripts are benign.