Incident Response, Malware, TDR

Malicious DLL targets e-commerce sites for customer credit card data

E-commerce website operators should be vigilant of malware that targets servers in order to pilfer credit card data site customers fill out, a security firm warns.

In addition to stealing sensitive data, the malicious DLL (dynamic link library), dubbed “ISN,” is masked as a module for Microsoft Internet Information Services (IIS) web-hosting software, researchers on Trustwave's SpiderLabs team found.

John Miller, a security research manager at Trustwave, told SCMagazine.com on Wednesday that saboteurs “broke into the web servers” of victims in a few, limited instances and installed ISN. The malware was named as such because of character strings that showed up in all of the malware's exfiltration commands.

Miller said that ISN steals data by capturing POST requests, which are sent while submitting form data on sites.

“Anytime you are filling out a form in your browser, it captures [the data] on the server side,” Miller said. “We've only seen it going after credit card numbers currently, but it could go after any information you submit on a website.”

Since Trustwave published a blog post about the threat on Monday, more antivirus software has begun detecting the malware, Miller said.

According to researchers, the installer component of the malware has four embedded DLLs, which are used at discretion. The DLL installed depends on which Microsoft software the target runs – IIS6 or IIS7+ (in 32- and 64-bit versions for both).

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.