Benjamin Hosack
2 min read

Digital forensics in the small-medium online business is usually a busy part of our business – the start to this year has been no exception.  In fact, we have had the busiest start to a forensic year ever! 

This week there have been a few cases that are very similar – all having been compromised by “WEB SHELLS”.

What is a WEB SHELL?

A Web Shell is a piece of code that is loaded into the website, which allows the attacker to make modifications to the files in the web root directory of the server – this includes full access to the database.

In laymans terms – a Web Shell on your website means that your website is essentially fully accessible – including all the internal, private information and access – to the attacker.  It has been fully hacked and compromised and you can assume that anything you have on that website and in the databases behind your website, will have been stolen.  In fact it is highly likely that the attacker is accessing your website to collect new credit card data on a frequent basis.

How is a WEB SHELL put on your website?

Web Shells are usually installed by compromising legitimate applications on a webserver, using techniques such as SQL Injection, Remote File Inclusion, an unsecured file upload facility, or brute forced user credentials. 

Are WEB SHELLS a regular form of attack?

Over 90% of the investigations that our forensic team carry out on small-medium online businesses have had some kind of WEB SHELL installed and used to extract data. They are highly prevalent.

What’s the risk?

Well, most of the online businesses that call us for help have some kind of API/store & forward type of arrangement with their payment processor.  In these cases, the attackers have been after the credit and debit cardholder data – and by the time we have been called to help, they have usually stolen everything in the database.

We also get online businesses who assume that because they have a re-direct to a hosted payment page on their payment processor’s servers, that they are secure.  The WEB SHELL is usually used to steal other customer data in these cases, such as names, addresses, passwords etc.  However, the attackers can also modify the website to route transaction data through a different path – i.e. their own servers – while at the same time passing through to the hosted payment page.  This is less frequently seen, but certainly on the rise as hosted payment pages become more prevalent.  The myth that the website is secure by outsourcing the payment process is easily undone when an attacker has the ability to change how the website works.

How do you prevent WEB SHELLS from being installed on your website?

There are a number of ways that you can protect your website:

  1. Regularly test the web applications on your website – get a security testing team to conduct a web application security test on your website.  This will tell you if you have vulnerable applications.
  1. Install a protective solution like FGX-Web Protect – the dual layer defence provides website file change monitoring and alerting, while also ensure that any attacks on your website are filtered out before they hit your website.
  1. Ensure that your developers are releasing secure code through secure coding practices.
  1. Maintain complex passwords that are changed regularly.

You can find out more about Website Security at http://info.foregenix.com/website-security-whats-the-deal   

Subscribe to our Blog

Contact Us

Access cybersecurity advisory services

 

Benjamin Hosack
Benjamin Hosack

Benj Hosack is a Director and co-Founder of Foregenix Limited. Foregenix is a specialist information security business delivering services in Forensics, PCI DSS, PCI P2PE, PA-DSS and information security solutions within the Payment Card Industry. Our technologies are designed to simplify security and PCI Compliance. Specialties: Cardholder Data Discovery - defining and reducing PCI DSS Scope / PA-DSS / PCI DSS / P2PE / Account Data Compromise Investigations. We are specialists in the Payment Card Industry and work with all types of companies in the payment chain (Acquiring banks, Processors, hosting providers, web designers, merchants, systems integrators etc).

See All Articles
SUBSCRIBE

Subscribe to our blog

Security never stops. Get the most up-to-date information by subscribing to the Foregenix blog.