Four JavaScript sniffer that lurk you in online stores

22 min


Practically each of us uses the services of online stores, which means, sooner or later, the risk of becoming a victim of JavaScript sniffers – a special code that the attackers introduce to the site to steal bank card data, addresses, usernames and passwords.

Almost 400,000 users of the site and the mobile application of British Airways, as well as visitors to the British site of the sports giant FILA and the American ticket distributor Ticketmaster, have already suffered from sniffers. PayPal, Chase Paymenttech, USAePay, Moneris – these and many other payment systems were infected.

Threat Intelligence Group-IB analyst Viktor Okorokov talks about how sniffers are embedded in the site code and steal billing information, as well as what kind of CRM they attack.

“Hidden threat”

So it turned out that for a long time JS-sniffers remained out of sight of antivirus analysts, and banks and payment systems did not see them as a serious threat. And it is in vain. Group-IB experts analyzed 2440 infected online stores, whose visitors — a total of about 1.5 million people a day — were at risk of compromise. Among the victims were not only users, but also online stores, payment systems and banks that issued compromised cards.

The Group-IB report was the first to study the darknet market of sniffers, their infrastructure and ways to monetize, bringing millions of dollars to their creators. We identified 38 families of sniffers, of which only 12 were previously known to researchers.

Let us dwell in detail on the four families of sniffers studied in the course of the study.

ReactGet Family

ReactGet family sniffers are used to steal bank card data on online stores. The sniffer can work with a large number of different payment systems used on the site: one parameter value corresponds to one payment system, and some detected versions of the sniffer can be used to steal credentials, as well as to steal bank card data from payment forms of several payment systems at once, the so-called universal sniffer. It was found that in some cases, attackers carry out phishing attacks on administrators of online stores in order to gain access to the administrative panel of the site.

The campaign with the use of this family of sniffers began in May 2017, the sites under the control of CMS and platforms Magento, Bigcommerce, Shopify were attacked.

How ReactGet is embedded in an online store code

In addition to the “classic” implementation of the script by reference, the operators of the ReactGet family of sniffers use a special technique: using JavaScript code, it is checked whether the current address where the user is located meets certain criteria. Malicious code will be run only if there is a substring in the current URL checkout or onestepcheckout, onepage /, out / onepag, checkout / one, ckout / one. Thus, the sniffer code will be executed exactly at the moment when the user goes to pay for purchases and enters payment information in the form on the website.

This sniffer uses non-standard technique. Payment and personal data of the victim are gathered together, encoded with base64and then the resulting string is used as a parameter to send a request to the attackers website. Most often, the path to the gate simulates a JavaScript file, for example resp.js, data.js and so on, but also uses links to image files, Gif and Jpg. The peculiarity is that the sniffer creates a 1 by 1 pixel image object and uses the previously obtained link as a parameter src Images. That is, for a user, such a request in traffic will look like an ordinary picture request. A similar technique was used in ImageID sniffers. In addition, a 1 by 1 pixel image technique is used in many legitimate online analytics scripts, which can also mislead the user.

Version Analysis

Analysis of the active domains used by ReactGet sniffer operators allowed us to discover many different versions of sniffer of this family. Versions are distinguished by the presence or absence of obfuscation, and in addition, each sniffer is intended for a specific payment system that processes bank card payments for online stores. After reviewing the value of the parameter corresponding to the version number, Group-IB specialists received a full list of available variations of sniffers, and the names of the form fields that each sniffer searches for in the page code determine the payment systems that the sniffer aims at.

List of sniffers and their respective payment systems

Sniffer url Payment system
reactjsapi.com/react.js Authorize.Net
ajaxstatic.com/api.js?v=2.1.1 Cardsave
ajaxstatic.com/api.js?v=2.1.2 Authorize.Net
ajaxstatic.com/api.js?v=2.1.3 Authorize.Net
ajaxstatic.com/api.js?v=2.1.4 eWAY Rapid
ajaxstatic.com/api.js?v=2.1.5 Authorize.Net
ajaxstatic.com/api.js?v=2.1.6 Adyen
ajaxstatic.com/api.js?v=2.1.7 USAePay
ajaxstatic.com/api.js?v=2.1.9 Authorize.Net
apitstatus.com/api.js?v=2.1.1 USAePay
apitstatus.com/api.js?v=2.1.2 Authorize.Net
apitstatus.com/api.js?v=2.1.3 Moneris
apitstatus.com/api.js?v=2.1.5 USAePay
apitstatus.com/api.js?v=2.1.6 Paypal
apitstatus.com/api.js?v=2.1.7 Sage pay
apitstatus.com/api.js?v=2.1.8 Verisign
apitstatus.com/api.js?v=2.1.9 Paypal
apitstatus.com/api.js?v=2.3.0 Stripe
apitstatus.com/api.js?v=3.0.2 Realex
apitstatus.com/api.js?v=3.0.3 Paypal
apitstatus.com/api.js?v=3.0.4 Linkpoint
apitstatus.com/api.js?v=3.0.5 Paypal
apitstatus.com/api.js?v=3.0.7 Paypal
apitstatus.com/api.js?v=3.0.8 Datacash
apitstatus.com/api.js?v=3.0.9 Paypal
asianfoodgracer.com/footer.js Authorize.Net
billgetstatus.com/api.js?v=1.2 Authorize.Net
billgetstatus.com/api.js?v=1.3 Authorize.Net
billgetstatus.com/api.js?v=1.4 Authorize.Net
billgetstatus.com/api.js?v=1.5 Verisign
billgetstatus.com/api.js?v=1.6 Authorize.Net
billgetstatus.com/api.js?v=1.7 Moneris
billgetstatus.com/api.js?v=1.8 Sage pay
billgetstatus.com/api.js?v=2.0 USAePay
billgetstatus.com/react.js Authorize.Net
cloudodesc.com/gtm.js?v=1.2 Authorize.Net
cloudodesc.com/gtm.js?v=1.3 ANZ eGate
cloudodesc.com/gtm.js?v=2.3 Authorize.Net
cloudodesc.com/gtm.js?v=2.4 Moneris
cloudodesc.com/gtm.js?v=2.6 Sage pay
cloudodesc.com/gtm.js?v=2.7 Sage pay
cloudodesc.com/gtm.js?v=2.8 Chase paymentech
cloudodesc.com/gtm.js?v=2.9 Authorize.Net
cloudodesc.com/gtm.js?v=2.91 Adyen
cloudodesc.com/gtm.js?v=2.92 Psigate
cloudodesc.com/gtm.js?v=2.93 CyberSource
cloudodesc.com/gtm.js?v=2.95 ANZ eGate
cloudodesc.com/gtm.js?v=2.97 Realex
geisseie.com/gs.js USAePay
gtmproc.com/age.js Authorize.Net
gtmproc.com/gtm.js?v=1.2 Authorize.Net
gtmproc.com/gtm.js?v=1.3 ANZ eGate
gtmproc.com/gtm.js?v=1.5 Paypal
gtmproc.com/gtm.js?v=1.6 Paypal
gtmproc.com/gtm.js?v=1.7 Realex
livecheckpay.com/api.js?v=2.0 Sage pay
livecheckpay.com/api.js?v=2.1 Paypal
livecheckpay.com/api.js?v=2.2 Verisign
livecheckpay.com/api.js?v=2.3 Authorize.Net
livecheckpay.com/api.js?v=2.4 Verisign
livecheckpay.com/react.js Authorize.Net
livegetpay.com/pay.js?v=2.1.2 ANZ eGate
livegetpay.com/pay.js?v=2.1.3 Paypal
livegetpay.com/pay.js?v=2.1.5 CyberSource
livegetpay.com/pay.js?v=2.1.7 Authorize.Net
livegetpay.com/pay.js?v=2.1.8 Sage pay
livegetpay.com/pay.js?v=2.1.9 Realex
livegetpay.com/pay.js?v=2.2.0 CyberSource
livegetpay.com/pay.js?v=2.2.1 Paypal
livegetpay.com/pay.js?v=2.2.2 Paypal
livegetpay.com/pay.js?v=2.2.3 Paypal
livegetpay.com/pay.js?v=2.2.4 Verisign
livegetpay.com/pay.js?v=2.2.5 eWAY Rapid
livegetpay.com/pay.js?v=2.2.7 Sage pay
livegetpay.com/pay.js?v=2.2.8 Sage pay
livegetpay.com/pay.js?v=2.2.9 Verisign
livegetpay.com/pay.js?v=2.3.0 Authorize.Net
livegetpay.com/pay.js?v=2.3.1 Authorize.Net
livegetpay.com/pay.js?v=2.3.2 First Data Global Gateway
livegetpay.com/pay.js?v=2.3.3 Authorize.Net
livegetpay.com/pay.js?v=2.3.4 Authorize.Net
livegetpay.com/pay.js?v=2.3.5 Moneris
livegetpay.com/pay.js?v=2.3.6 Authorize.Net
livegetpay.com/pay.js?v=2.3.8 Paypal
livegetpay.com/pay.js?v=2.4.0 Verisign
maxstatics.com/site.js USAePay
mediapack.info/track.js?d=funlove.com USAePay
mediapack.info/track.js?d=qbedding.com Authorize.Net
mediapack.info/track.js?d=vseyewear.com Verisign
mxcounter.com/c.js?v=1.2 Paypal
mxcounter.com/c.js?v=1.3 Authorize.Net
mxcounter.com/c.js?v=1.4 Stripe
mxcounter.com/c.js?v=1.6 Authorize.Net
mxcounter.com/c.js?v=1.7 eWAY Rapid
mxcounter.com/c.js?v=1.8 Sage pay
mxcounter.com/c.js?v=2.0 Authorize.Net
mxcounter.com/c.js?v=2.1 Braintree
mxcounter.com/c.js?v=2.10 Braintree
mxcounter.com/c.js?v=2.2 Paypal
mxcounter.com/c.js?v=2.3 Sage pay
mxcounter.com/c.js?v=2.31 Sage pay
mxcounter.com/c.js?v=2.32 Authorize.Net
mxcounter.com/c.js?v=2.33 Paypal
mxcounter.com/c.js?v=2.34 Authorize.Net
mxcounter.com/c.js?v=2.35 Verisign
mxcounter.com/click.js?v=1.2 Paypal
mxcounter.com/click.js?v=1.3 Authorize.Net
mxcounter.com/click.js?v=1.4 Stripe
mxcounter.com/click.js?v=1.6 Authorize.Net
mxcounter.com/click.js?v=1.7 eWAY Rapid
mxcounter.com/click.js?v=1.8 Sage pay
mxcounter.com/click.js?v=2.0 Authorize.Net
mxcounter.com/click.js?v=2.1 Braintree
mxcounter.com/click.js?v=2.2 Paypal
mxcounter.com/click.js?v=2.3 Sage pay
mxcounter.com/click.js?v=2.31 Sage pay
mxcounter.com/click.js?v=2.32 Authorize.Net
mxcounter.com/click.js?v=2.33 Paypal
mxcounter.com/click.js?v=2.34 Authorize.Net
mxcounter.com/click.js?v=2.35 Verisign
mxcounter.com/cnt.js Authorize.Net
mxcounter.com/j.js Authorize.Net
newrelicnet.com/api.js?v=1.2 Authorize.Net
newrelicnet.com/api.js?v=1.4 Authorize.Net
newrelicnet.com/api.js?v=1.8 Sage pay
newrelicnet.com/api.js?v=4.5 Sage pay
newrelicnet.com/api.js?v=4.6 Westpac PayWay
nr-public.com/api.js?v=2.0 Payfort
nr-public.com/api.js?v=2.1 Paypal
nr-public.com/api.js?v=2.2 Authorize.Net
nr-public.com/api.js?v=2.3 Stripe
nr-public.com/api.js?v=2.4 First Data Global Gateway
nr-public.com/api.js?v=2.5 Psigate
nr-public.com/api.js?v=2.6 Authorize.Net
nr-public.com/api.js?v=2.7 Authorize.Net
nr-public.com/api.js?v=2.8 Moneris
nr-public.com/api.js?v=2.9 Authorize.Net
nr-public.com/api.js?v=3.1 Sage pay
nr-public.com/api.js?v=3.2 Verisign
nr-public.com/api.js?v=3.3 Moneris
nr-public.com/api.js?v=3.5 Paypal
nr-public.com/api.js?v=3.6 Linkpoint
nr-public.com/api.js?v=3.7 Westpac PayWay
nr-public.com/api.js?v=3.8 Authorize.Net
nr-public.com/api.js?v=4.0 Moneris
nr-public.com/api.js?v=4.0.2 Paypal
nr-public.com/api.js?v=4.0.3 Adyen
nr-public.com/api.js?v=4.0.4 Paypal
nr-public.com/api.js?v=4.0.5 Authorize.Net
nr-public.com/api.js?v=4.0.6 USAePay
nr-public.com/api.js?v=4.0.7 EBizCharge
nr-public.com/api.js?v=4.0.8 Authorize.Net
nr-public.com/api.js?v=4.0.9 Verisign
nr-public.com/api.js?v=4.1.2 Verisign
ordercheckpays.com/api.js?v=2.11 Authorize.Net
ordercheckpays.com/api.js?v=2.12 Paypal
ordercheckpays.com/api.js?v=2.13 Moneris
ordercheckpays.com/api.js?v=2.14 Authorize.Net
ordercheckpays.com/api.js?v=2.15 Paypal
ordercheckpays.com/api.js?v=2.16 Paypal
ordercheckpays.com/api.js?v=2.17 Westpac PayWay
ordercheckpays.com/api.js?v=2.18 Authorize.Net
ordercheckpays.com/api.js?v=2.19 Authorize.Net
ordercheckpays.com/api.js?v=2.21 Sage pay
ordercheckpays.com/api.js?v=2.22 Verisign
ordercheckpays.com/api.js?v=2.23 Authorize.Net
ordercheckpays.com/api.js?v=2.24 Paypal
ordercheckpays.com/api.js?v=2.25 Payfort
ordercheckpays.com/api.js?v=2.29 CyberSource
ordercheckpays.com/api.js?v=2.4 Paypal payflow pro
ordercheckpays.com/api.js?v=2.7 Authorize.Net
ordercheckpays.com/api.js?v=2.8 Authorize.Net
ordercheckpays.com/api.js?v=2.9 Verisign
ordercheckpays.com/api.js?v=3.1 Authorize.Net
ordercheckpays.com/api.js?v=3.2 Authorize.Net
ordercheckpays.com/api.js?v=3.3 Sage pay
ordercheckpays.com/api.js?v=3.4 Authorize.Net
ordercheckpays.com/api.js?v=3.5 Stripe
ordercheckpays.com/api.js?v=3.6 Authorize.Net
ordercheckpays.com/api.js?v=3.7 Authorize.Net
ordercheckpays.com/api.js?v=3.8 Verisign
ordercheckpays.com/api.js?v=3.9 Paypal
ordercheckpays.com/api.js?v=4.0 Authorize.Net
ordercheckpays.com/api.js?v=4.1 Authorize.Net
ordercheckpays.com/api.js?v=4.2 Sage pay
ordercheckpays.com/api.js?v=4.3 Authorize.Net
reactjsapi.com/api.js?v=0.1.0 Authorize.Net
reactjsapi.com/api.js?v=0.1.1 Paypal
reactjsapi.com/api.js?v=4.1.2 Flint
reactjsapi.com/api.js?v=4.1.4 Paypal
reactjsapi.com/api.js?v=4.1.5 Sage pay
reactjsapi.com/api.js?v=4.1.51 Verisign
reactjsapi.com/api.js?v=4.1.6 Authorize.Net
reactjsapi.com/api.js?v=4.1.7 Authorize.Net
reactjsapi.com/api.js?v=4.1.8 Stripe
reactjsapi.com/api.js?v=4.1.9 Fat zebra
reactjsapi.com/api.js?v=4.2.0 Sage pay
reactjsapi.com/api.js?v=4.2.1 Authorize.Net
reactjsapi.com/api.js?v=4.2.2 First Data Global Gateway
reactjsapi.com/api.js?v=4.2.3 Authorize.Net
reactjsapi.com/api.js?v=4.2.4 eWAY Rapid
reactjsapi.com/api.js?v=4.2.5 Adyen
reactjsapi.com/api.js?v=4.2.7 Paypal
reactjsapi.com/api.js?v=4.2.8 QuickBooks Merchant Services
reactjsapi.com/api.js?v=4.2.9 Verisign
reactjsapi.com/api.js?v=4.2.91 Sage pay
reactjsapi.com/api.js?v=4.2.92 Verisign
reactjsapi.com/api.js?v=4.2.94 Authorize.Net
reactjsapi.com/api.js?v=4.3.97 Authorize.Net
reactjsapi.com/api.js?v=4.5 Sage pay
reactjsapi.com/react.js Authorize.Net
sydneysalonsupplies.com/gtm.js eWAY Rapid
tagsmediaget.com/react.js Authorize.Net
tagstracking.com/tag.js?v=2.1.2 ANZ eGate
tagstracking.com/tag.js?v=2.1.3 Paypal
tagstracking.com/tag.js?v=2.1.5 CyberSource
tagstracking.com/tag.js?v=2.1.7 Authorize.Net
tagstracking.com/tag.js?v=2.1.8 Sage pay
tagstracking.com/tag.js?v=2.1.9 Realex
tagstracking.com/tag.js?v=2.2.0 CyberSource
tagstracking.com/tag.js?v=2.2.1 Paypal
tagstracking.com/tag.js?v=2.2.2 Paypal
tagstracking.com/tag.js?v=2.2.3 Paypal
tagstracking.com/tag.js?v=2.2.4 Verisign
tagstracking.com/tag.js?v=2.2.5 eWAY Rapid
tagstracking.com/tag.js?v=2.2.7 Sage pay
tagstracking.com/tag.js?v=2.2.8 Sage pay
tagstracking.com/tag.js?v=2.2.9 Verisign
tagstracking.com/tag.js?v=2.3.0 Authorize.Net
tagstracking.com/tag.js?v=2.3.1 Authorize.Net
tagstracking.com/tag.js?v=2.3.2 First Data Global Gateway
tagstracking.com/tag.js?v=2.3.3 Authorize.Net
tagstracking.com/tag.js?v=2.3.4 Authorize.Net
tagstracking.com/tag.js?v=2.3.5 Moneris
tagstracking.com/tag.js?v=2.3.6 Authorize.Net
tagstracking.com/tag.js?v=2.3.8 Paypal

Sniffer password

One of the advantages of JavaScript sniffer working on the client side of the site is universality: the malicious code embedded on the site can steal data of any type, whether it is billing information or username and password from a user account. Group-IB specialists have discovered a sample sniffer belonging to the ReactGet family, designed to steal email addresses and passwords of users of the site.

Intersection with ImageID sniffer

An analysis of one of the infected stores revealed that his site had been infected twice: in addition to the malicious code of the ReactGet family sniffer, the code of the ImageID family sniffer was detected. This intersection may be evidence that the operators behind the use of both sniffers use similar techniques to introduce malicious code.

Universal Sniffer

An analysis of one of the domain names related to the infrastructure of ReactGet sniffers revealed that the same user registered three other domain names. These three domains imitated the domains of real-life sites and were previously used to host sniffers. When analyzing the code of three legitimate sites, an unknown sniffer was discovered, and further analysis showed that this is an improved version of the ReactGet sniffer. All previously tracked versions of sniffers of this family were aimed at any one payment system, that is, for each payment system a special version of the sniffer was required. However, in this case, a universal version of the sniffer was discovered, capable of stealing information from forms related to 15 different payment systems and e-commerce site modules for online payments.

So, at the beginning of the work, the sniffer searched for basic form fields containing the victim’s personal information: full name, physical address, telephone number.

Then the sniffer searched for more than 15 different prefixes, corresponding to different payment systems and modules for online payments.

Then, the victim’s personal data and payment information were collected together and sent to the site controlled by the attacker: in this particular case, two versions of the universal ReactGet sniffer were found, located on two different hacked sites. However, both versions sent the stolen data to the same hacked site. zoobashop.com.

The analysis of the prefixes that were used by the sniffer to search for fields containing the payment information of the victim made it possible to determine that this sample sniffer was aimed at the following payment systems:

  • Authorize.Net
  • Verisign
  • First data
  • USAePay
  • Stripe
  • Paypal
  • ANZ eGate
  • Braintree
  • DataCash (MasterCard)
  • Realex payments
  • Psigate
  • Heartland Payment Systems

What tools are used to steal billing information

The first tool found during the analysis of the infrastructure of the attackers serves to obfuscate malicious scripts responsible for the theft of bank cards. A bash script using the project’s CLI was detected on one of the attacker’s hosts. javascript obfuscator to automate code obfuscation sniffers.

The second detected tool is designed to generate the code responsible for loading the main sniffer. This tool generates a JavaScript code that checks whether the user is on the payment page by searching the lines in the current user’s address checkout, cart and so on, and if the result is positive, then the code loads the main sniffer from the attacker’s server. To hide malicious activity, all lines, including test lines for defining the payment page, as well as a link to the sniffer, are encoded with base64.

Phishing attacks

In analyzing the network infrastructure of the attackers, it was found that the criminal group often uses phishing to gain access to the administrative panel of the targeted online store. The attackers register a domain that is visually similar to the domain of the store, and then unfolds on it a fake login form of the Magento administrative panel. If successful, attackers will gain access to the CMS Magento administrative panel, which allows them to edit the site components and implement a sniffer to steal credit card data.

Infrastructure

Domain Date of discovery / appearance
mediapack.info 04.05.2017
adsgetapi.com 06/15/2017
simcounter.com 08/14/2017
mageanalytics.com 12/22/2017
maxstatics.com 01/16/2018
reactjsapi.com 01/19/2018
mxcounter.com 02.02.2018
apitstatus.com 03/01/2018
orderracker.com 04/20/2018
tagstracking.com 06.25.2018
adsapigate.com 12.07.2018
trust-tracker.com 07/15/2018
fbstatspartner.com 10/02/2018
billgetstatus.com 10/12/2018
aldenmlilhouse.com 10/20/2018
balletbeautlful.com 10/20/2018
bargalnjunkie.com 10/20/2018
payselector.com 10/21/2018
tagsmediaget.com 11/02/2018
hs-payments.com 11/16/2018
ordercheckpays.com 11/19/2018
geisseie.com 11/24/2018
gtmproc.com 11/29/2018
livegetpay.com 12/18/2018
sydneysalonsupplies.com 12/18/2018
newrelicnet.com 12/19/2018
nr-public.com 01.03.2019
cloudodesc.com 01/04/2019
ajaxstatic.com 01.11.2019
livecheckpay.com 01.21.2019
asianfoodgracer.com 01/25/2019

G-Analytics Family

This family of sniffers is used to steal cards from online store customers. The very first domain name used by the group was registered in April 2016, which may indicate the start of group activity in mid-2016.

In the current campaign, the group uses domain names that mimic real-life services, such as Google Analytics and jQuery, masking sniffer activity with legitimate scripts and similar legitimate domain names. Attack suffered sites running CMS Magento.

How G-Analytics is embedded in the code of an online store

A distinctive feature of this family is the use of various methods of theft of user payment information. In addition to the classic implementation of JavaScript code in the client part of the site, the criminal group also used the technique of embedding code in the server part of the site, namely PHP scripts that process the data entered by the user. This technique is dangerous in that it makes it difficult for third-party researchers to detect malicious code. Group-IB specialists discovered a version of a sniffer embedded in the site’s PHP code, using the dittm.org domain as a gate.

An earlier version of the sniffer was also discovered, which uses the same domain dittm.org to collect stolen data, but this version is already intended for installation on the client side of the online store.

Later, the group changed its tactics and began to pay more attention to concealment of malicious activity and disguise.

At the beginning of 2017, the group began to use the jquery-js.com domain, which masquerades as a CDN for jQuery: when it goes to the site of malicious users, it redirects to the legitimate site jquery.com.

And in mid-2018, the group adopted the g-analytics.com domain name and began to mask the activities of the sniffer under the legitimate Google Analytics service.

Version Analysis

During the analysis of the domains used to store sniffer code, it was found that the site has a large number of versions that differ in the presence of obfuscation, as well as the presence or absence of unreachable code added to the file to distract attention and hide the malicious code.

In total, six versions of sniffers were identified on jquery-js.com. These sniffers send the stolen data to the address located on the same site as the sniffer itself: hxxps: // jquery-js [.] Com / latest / jquery.min.js:

  • hxxps://jquery-js[.]com/jquery.min.js
  • hxxps://jquery-js[.]com/jquery.2.2.4.min.js
  • hxxps://jquery-js[.]com/jquery.1.8.3.min.js
  • hxxps://jquery-js[.]com/jquery.1.6.4.min.js
  • hxxps://jquery-js[.]com/jquery.1.4.4.min.js
  • hxxps://jquery-js[.]com/jquery.1.12.4.min.js

The later g-analytics.com domain, used by the group in attacks since mid-2018, serves as a repository for more sniffers. A total of 16 different sniffer versions were discovered. In this case, the gate to send the stolen data was disguised as a link to a format image GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
=1283183910.1527732071
:

  • hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
  • hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
  • hxxps://g-analytics[.]com/libs/analytics.js

Monetization of stolen data

The criminal group monetizes the stolen data by selling cards through a specially created underground store that provides services to carders. An analysis of the domains used by the attackers revealed that google-analytics.cm was registered by the same user as the cardz.vc domain. Domain cardz.vc refers to the Cardsurfs (Flysurfs) store for stolen bank cards, which gained popularity even during the activity of the underground trading platform AlphaBay as a store for selling bank cards stolen using a sniffer.

Analyzing the analytic.is domain located on the same server as the domains used by sniffers to collect stolen data, Group-IB specialists found a file containing cookie-styler logs, which, it seems, was later abandoned by the developer. One of the entries in the log contained the iozoz.com domain, which was previously used in one of the sniffers active in 2016. Presumably, this domain was previously used by an attacker to collect cards stolen using a sniffer. This domain was registered to the email address kts241@gmail.com, which was also used to register cardz.su and cardz.vc domains related to the Cardsurfs carding store.

Based on the data obtained, it can be assumed that the G-Analytics family of sniffers and the underground Cardsurfs bank card store are managed by the same people, and the store is used to sell bank cards stolen using the sniffer.

Infrastructure

Domain Discovery / Appearance Date
iozoz.com 08.04.2016
dittm.org 10.09.2016
jquery-js.com 02.01.2017
g-analytics.com 31.05.2018
google-analytics.is 21.11.2018
analytic.to 04.12.2018
google-analytics.to 06.12.2018
google-analytics.cm 28.12.2018
analytic.is 28.12.2018
googlc-analytics.cm 17.01.2019

Family illum

Illum is a sniffer family used to attack online stores running CMS Magento. In addition to introducing malicious code, the operators of this sniffer also use full fake payment methods that send data to gates controlled by cybercriminals.

When analyzing the network infrastructure used by the operators of this sniffer, a large number of malicious scripts, exploits, fake payment forms, as well as a collection of examples of malicious sniffers of competitors were noted. Based on the information about the dates of the appearance of domain names used by the group, it can be assumed that the campaign began at the end of 2016.

How Illum Embeds Online Store Code

The first sniffer versions discovered were embedded directly in the code of the compromised site. The stolen data was sent to cdn.illum [.] Pw / records.php, the gate was encoded using base64.

A packaged version of the sniffer was later discovered using a different gate -records.nstatistics[.]com/records.php.

According to a Willem de Groot report, the same host was used in a sniffer that was embedded on the website of a store owned by the German political party CSU.

Analysis of the site of intruders

Group-IB specialists discovered and analyzed the site used by this criminal group to store tools and collect stolen information.

Among the tools detected on the attacker’s server, scripts and exploits for escalating privileges on Linux were found: for example, Linux Privilege Escalation Check Script, developed by Mike Czumak, as well as an exploit for CVE-2009-1185.

The attackers used two exploits directly to attack online stores: the first is able to inject malicious code into core_config_data by exploiting CVE-2016-4010, the second exploits an RCE vulnerability in plug-ins for CMS Magento, allowing arbitrary code to be executed on a vulnerable web server.

Also, during the analysis of the server, various samples of sniffers and fake payment forms were used, used by attackers to collect payment information from hacked sites. As you can see from the list below, some scripts were created individually for each hacked site, while a universal solution was used for certain CMS and payment gateways. For example, the scripts segapay_standart.js and segapay_onpage.js are intended for implementation on sites that use the Sage Pay payment gateway.

List of scripts for various payment gateways

Script payment gateways
sr.illum[.]pw/mjs_special/visiondirect.co.uk.js //request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/topdierenshop.nl.js //request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/tiendalenovo.es.js //request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/pro-bolt.com.js //request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/plae.co.js //request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/ottolenghi.co.uk.js //request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/oldtimecandy.com.js //request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/mylook.ee.js //cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs_special/luluandsky.com.js //request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/julep.com.js //cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs_special/gymcompany.es.js //request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/grotekadoshop.nl.js //request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/fushi.co.uk.js //request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/fareastflora.com.js //request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/compuindia.com.js //request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs/segapay_standart.js //cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs/segapay_onpage.js //cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs/replace_standart.js //request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs/all_inputs.js //cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs/add_inputs_standart.js //request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/magento/payment_standart.js //cdn.illum[.]pw/records.php
sr.illum[.]pw/magento/payment_redirect.js //payrightnow[.]cf/?payment=
sr.illum[.]pw/magento/payment_redcrypt.js //payrightnow[.]cf/?payment=
sr.illum[.]pw/magento/payment_forminsite.js //paymentnow[.]tk/?payment=

The paymentnow [.] Tk host, used as a gate in the payment_forminsite.js script, was detected as subjectAltName in several certificates related to the CloudFlare service. In addition, the evil.js. script was located on the host. Judging by the name of the script, it could be used as part of the operation of CVE-2016-4010, thanks to which it is possible to inject malicious code into the footer of a site running CMS Magento. As a gate, this script used the request.requestnet [.] Tk host, which uses the same certificate as the paymentnow [.] Tk host.

Fake Payment Forms

The figure below shows an example of a form for entering map data. This form was used to embed the online store website and steal card data.

The following figure is an example of a fake PayPal payment form that was used by cybercriminals to deploy to sites with this payment method.

Infrastructure

Domain Date of discovery / appearance
cdn.illum.pw 27/11/2016
records.nstatistics.com 06/09/2018
request.payrightnow.cf 25/05/2018
paymentnow.tk 16/07/2017
payment-line.tk 01/03/2018
paymentpal.cf 04/09/2017
requestnet.tk 28/06/2017

CoffeMokko Family

The CoffeMokko family of sniffers designed to steal bank cards from users of online stores has been used since at least May 2017. Presumably, the operators of this family of sniffers are the criminal group Group 1, described by RiskIQ specialists in 2016. Attacks were made by sites running such CMS as Magento, OpenCart, WordPress, osCommerce, Shopify.

How CoffeMokko is implemented in the code of the online store

The operators of this family create unique sniffers for each infection: the sniffer file is located in the src or js directory on the attacker server. Implementation in the site code is carried out by a direct link to the sniffer.

In the sniffer code, the names of the form fields from which data must be stolen are hardcoded. The sniffer also checks whether the user is on the payment page, checking the list of keywords with the current address of the user.

Some detected sniffer versions were obfuscated and contained an encrypted string in which the main array of resources was stored: it contained the names of the form fields for various payment systems, as well as the gate address to which the stolen data should be sent.

The stolen payment information was sent to the script on the attacker server along the path /savePayment/index.php or /tr/index.php. Presumably, this script is used to send data from the gate to the main server, consolidating data from all sniffers. To hide the transmitted data, all the victim’s payment information is encoded using base64, and then several symbol replacements occur:

the character “e” is replaced by “:”
the character “w” is replaced by “+”
the character “o” is replaced by “%”
character “d” is replaced by “#”
the character “a” is replaced by “-”
character “7” is replaced by “^”
the character “h” is replaced by “_”
the character “T” is replaced by “@”
the character “0” is replaced by “/”
the character “Y” is replaced by “*”

As a result of character substitutions, base64 encoded data cannot be decoded without reverse conversion.

This is the sniffer code snippet that has not been obfuscated:

Infrastructure analysis

In early campaigns, attackers registered domain names similar to the domains of legitimate online shopping sites. Their domain could differ from the legitimate one character or another TLD. Registered domains were used to store the sniffer code, the link to which was embedded in the store code.

Also, this group used domain names resembling the name of popular plugins for jQuery (slickjs [.] Org for sites using the slick.js plugin), payment gateways (sagecdn [.] Org for sites using the Sage Pay payment system).

Later, the group began to create domains whose name had nothing to do with either the store’s domain or the store’s theme.
This is the sniffer code snippet that has not been obfuscated:

Each domain corresponded to a site on which the / js or / src directory was created. Sniffer scripts were stored in this directory: one sniffer for each new infection. The sniffer was injected into the site code via a direct link, but in rare cases, attackers modified one of the site files and added malicious code to it.

Code analysis

The first obfuscation algorithm

In some detected sniffer samples of this family, the code was obfuscated and contained the encrypted data necessary for the sniffer to work: in particular, the address of the sniffer gate, a list of payment form fields, and in some cases a fake payment form code. In the code inside the function, the resources were encrypted using XOR using the key, which was passed by the argument of the same function.

Having decrypted the string with the corresponding key, unique for each sample, you can get a string containing all the lines from the sniffer code through the separator character.

Second obfuscation algorithm

In later samples of sniffers of this family, another obfuscation mechanism was used: in this case, the data was encrypted using a self-written algorithm. A string containing the encrypted data necessary for the sniffer to work was passed as an argument to the decryption function.

Using the browser console, you can decrypt the encrypted data and get an array containing sniffer resources.

Linkage to Early MageCart Attacks

An analysis of one of the domains used by the group as a gate to collect stolen data revealed that the domain has a credit card theft infrastructure identical to that used by Group 1, one of the first groups discovered by RiskIQ specialists.

Two files were found on the host of the CoffeMokko sniffer family:

mage.js – file containing Group 1 sniffer code with gate address js-cdn.link
mag.php – PHP script responsible for collecting sniffer-stolen data

Mage.js file contents

It was also found that the earliest domains used by the group behind the CoffeMokko sniffer family were registered on May 17, 2017:

link-js [.] link
info-js [.] link
track-js [.] link
map-js [.] link
smart-js [.] link

The format of these domain names is the same as the Group 1 domain names used in the 2016 attacks.

Based on the facts discovered, it can be assumed that there is a connection between the CoffeMokko sniffer operators and the Group 1 criminal group. Presumably, CoffeMokko operators could borrow card theft tools and software from their predecessors. However, it is more likely that the criminal group behind the use of the CoffeMokko family of sniffers is the same people who carried out the attacks as part of the activities of Group 1. After the publication of the first report on the activities of the criminal group, all their domain names were blocked, and the tools were thoroughly studied and are described. The group was forced to take a break, refine their internal tools and rewrite the sniffer code in order to continue their attacks and go unnoticed.

Domain
link-js.link 17.05.2017
info-js.link 17.05.2017
track-js.link 17.05.2017
map-js.link 17.05.2017
smart-js.link 17.05.2017
adorebeauty.org 03.09.2017
security-payment.su 03.09.2017
braincdn.org 04.09.2017
sagecdn.org 04.09.2017
slickjs.org 04.09.2017
oakandfort.org 10.09.2017
citywlnery.org 15.09.2017
dobell.su 04.10.2017
childsplayclothing.org 31.10.2017
jewsondirect.com 05.11.2017
shop-rnib.org 15.11.2017
closetlondon.org 16.11.2017
misshaus.org 28.11.2017
battery-force.org 01.12.2017
kik-vape.org 01.12.2017
greatfurnituretradingco.org 02.12.2017
etradesupply.org 04.12.2017
replacemyremote.org 04.12.2017
all-about-sneakers.org 05.12.2017
mage-checkout.org 05.12.2017
nililotan.org 07.12.2017
lamoodbighats.net 08.12.2017
walletgear.org 10.12.2017
dahlie.org 12.12.2017
davidsfootwear.org 20.12.2017
blackriverimaging.org 23.12.2017
exrpesso.org 02.01.2018
parks.su 09.01.2018
pmtonline.su 12.01.2018
ottocap.org 15.01.2018
christohperward.org 27.01.2018
coffetea.org 31.01.2018
energycoffe.org 31.01.2018
energytea.org 31.01.2018
teacoffe.net 31.01.2018
adaptivecss.org 01.03.2018
coffemokko.com 01.03.2018
londontea.net 01.03.2018
ukcoffe.com 01.03.2018
labbe.biz 20.03.2018
batterynart.com 03.04.2018
btosports.net 09.04.2018
chicksaddlery.net 16.04.2018
paypaypay.org 11.05.2018
ar500arnor.com 26.05.2018
authorizecdn.com 28.05.2018
slickmin.com 28.05.2018
bannerbuzz.info 03.06.2018
kandypens.net 08.06.2018
mylrendyphone.com 15.06.2018
freshchat.info 01.07.2018
3lift.org 02.07.2018
abtasty.net 02.07.2018
mechat.info 02.07.2018
zoplm.com 02.07.2018
zapaljs.com 02.09.2018
foodandcot.com 15.09.2018
freshdepor.com 15.09.2018
swappastore.com 15.09.2018
verywellfitnesse.com 15.09.2018
elegrina.com 18.11.2018
majsurplus.com 19.11.2018
top5value.com 19.11.2018

One Comment

Leave a Reply

  1. Pingback: maç sonuçları