- The attacker injects their malicious code on a website’s checkout page. How they inject their malicious code can vary quite a bit. The point is to find a way to upload their code to the server. That would typically be through a cross-site scripting (XSS) attack, but it could be through any other type of code injection attack. It could also be through a phishing attack targeted at the website’s system administrator. That way, the attacker could presumably obtain the system administrator’s credentials and upload their script through the website’s control panel.
- A user makes a purchase on the website and enters their credit card details on the site’s checkout page. The attacker’s script copies that information and sends it to a server controlled by the attacker.
- The attacker can then use the funneled information for financial fraud or identity theft.
- PHP backdoors
Because there’s a good chance that your attacker would inject their code using a cross-site scripting attack (XSS), protecting against XXS attacks is the first thing you should do. The points listed below should help. For more information on defending against XSS attacks, I recommend reading our dedicated article on the topic. Here is a high-level view of the recommendations:
Defending against cross-site scripting (XSS) attacks
- Don’t trust user input – You should treat all user input equally – don’t trust it – regardless of whether it comes from authenticated users, internal users, and public users.
- Sanitize your HTML – Escaping/encoding user input that contains HTML will result in breaking valid tags. To work around this issue, use a trusted and verified library to parse and clean the HTML. Make sure you choose the appropriate library for your development language.
- Use a Content Security Policy – CSP is an HTTP response header that enables you to determine which dynamic resources are allowed to load based on the request’s source.
Hardening the website
- Use strong passwords – Make sure to use complex and unique passwords to access the website’s admin panel and any other administration services (phpMyAdmin, Adminer, etc.). If you can, also set up two-factor authentication.
- Update your software – Always update your software as soon as the updates are available, including your site’s CMS. Never use outdated or unsupported CMS versions. That will reduce the risk of your servers being compromised and make it more difficult for an attacker to inject malicious code.
- Scan your web store – Perform regular security audits of your web store using a vulnerability scanner. If your site uses the Magento CMS, you can use the Magento Security Scan Tool.
- Enable logging – Make sure your systems are configured to log any changes on the site, including the site’s control panel and databases. And make sure you’re able to track file change dates. That will help you detect any malicious code, infected files, and unauthorized access to the site.
Defending against phishing attacks
- Use a password manager with auto-fill – Password managers that support auto-fill need to keep track of the web pages for which they have been configured. If your auto-fill enabled password manager refuses to populate your password, double-check the web page you’re on. You may be the target of a phishing attack.
- Don’t open links/attachments in emails – Always verify emails that inchttps://www.comparitech.com/password-managers/lude links or attachments with the sender before clicking/opening them. If it comes from an online service or your bank, manually type the URL in your web browser yourself to make sure you’re on the actual legitimate website.
- Open suspicious documents in Google Drive – If you receive a suspicious document in an email, upload it to Google Drive rather than double-clicking it. That will convert the document into HTML and will very likely prevent it from installing malicious code on your device.
- Use a physical Two-Factor Authentication (2FA) key – It is highly recommended to configure your more sensitive accounts to use a 2FA key. When your accounts are configured in this way, after logging in normally (using your username and password), you insert the key into your device to provide the second layer in your two-factor authentication. One of the benefits of this approach is that if you end up on a phishing site, your 2FA key will know not to log you in.