Almost every one of us uses the services of online stores, which means that sooner or later we run the risk of becoming a victim of JavaScript sniffers - a special code that attackers inject into a website to steal bank card data, addresses, usernames and passwords.
Nearly 400 users of the British Airways website and mobile app have already been affected by sniffers, as well as visitors to the British sports giant FILA website and US ticket distributor Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - these and many other payment systems have been infected.
Threat Intelligence Group-IB analyst Viktor Okorokov talks about how sniffers infiltrate website code and steal payment information, as well as which CRMs they attack.
"Hidden threat"
It so happened that for a long time JS-sniffers remained out of sight of anti-virus analysts, and banks and payment systems did not see them as a serious threat. And absolutely in vain. Group-IB Experts 2440 infected online stores, whose visitors - a total of about 1,5 million people a day - were at risk of compromise. Among the victims are not only users, but also online stores, payment systems and banks that issued compromised cards.
Group-IB became the first study of the darknet market of sniffers, their infrastructure and ways of monetization, bringing millions of dollars to their creators. We identified 38 sniffer families, of which only 12 were previously known to researchers.
Let us dwell in detail on the four families of sniffers studied in the course of the study.
ReactGet family
Sniffers of the ReactGet family are used to steal bank card data on online shopping sites. The sniffer can work with a large number of different payment systems used on the site: one parameter value corresponds to one payment system, and individual detected versions of the sniffer can be used to steal credentials, as well as to steal bank card data from the payment forms of several payment systems at once, like the so-called universal sniffer. It was found that in some cases, attackers carry out phishing attacks on online store administrators in order to gain access to the site's administrative panel.
The campaign using this family of sniffers began in May 2017. Sites running CMS and platforms Magento, Bigcommerce, Shopify were attacked.
How ReactGet is embedded in the code of an online store
In addition to the “classic” script injection by link, ReactGet family sniffer operators use a special technique: using JavaScript code, it checks whether the current address where the user is located meets certain criteria. The malicious code will only run if the current URL contains a substring checkout or one step check out, onepage/, out/onepag, checkout/one, ckout/one. Thus, the sniffer code will be executed exactly at the moment when the user proceeds to pay for purchases and enters payment information into the form on the site.
This sniffer uses a non-standard technique. The payment and personal data of the victim are collected together, encoded using base64, and then the resulting string is used as a parameter to send a request to the malicious site. Most often, the path to the gate imitates a JavaScript file, for example resp.js, data.js and so on, but links to image files are also used, GIF и JPG. The peculiarity is that the sniffer creates an image object with a size of 1 by 1 pixel and uses the previously obtained link as a parameter src Images. That is, for the user, such a request in traffic will look like a request for a regular picture. A similar technique was used in the ImageID family of sniffers. In addition, the 1x1 pixel image technique is used in many legitimate online analytics scripts, which can also mislead the user.
Version Analysis
An analysis of the active domains used by ReactGet sniffer operators revealed many different versions of this family of sniffers. Versions differ in the presence or absence of obfuscation, and in addition, each sniffer is designed for a specific payment system that processes bank card payments for online stores. After sorting through the value of the parameter corresponding to the version number, Group-IB specialists received a complete list of available sniffer variations, and by the names of the form fields that each sniffer looks for in the page code, they determined the payment systems that the sniffer targets.
List of sniffers and their corresponding payment systems
| Sniffer URL | Payment System |
|---|---|
| Authorize.Net | |
| Cardsave | |
| Authorize.Net | |
| Authorize.Net | |
| eWAY Rapid | |
| Authorize.Net | |
| Adyen | |
| USAePay | |
| Authorize.Net | |
| USAePay | |
| Authorize.Net | |
| moneris | |
| USAePay | |
| PayPal | |
| SagePay | |
| Verisign | |
| PayPal | |
| Stripe | |
| Realex | |
| PayPal | |
| Link Point | |
| PayPal | |
| PayPal | |
| datacash | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| moneris | |
| SagePay | |
| USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| Authorize.Net | |
| moneris | |
| SagePay | |
| SagePay | |
| Chase Paymentech | |
| Authorize.Net | |
| Adyen | |
| PsiGate | |
| Cyber Source | |
| ANZ eGate | |
| Realex | |
| USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| PayPal | |
| Realex | |
| SagePay | |
| PayPal | |
| Verisign | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Cyber Source | |
| Authorize.Net | |
| SagePay | |
| Realex | |
| Cyber Source | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Rapid | |
| SagePay | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| moneris | |
| Authorize.Net | |
| PayPal | |
| Verisign | |
| USAePay | |
| USAePay | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| Stripe | |
| Authorize.Net | |
| eWAY Rapid | |
| SagePay | |
| Authorize.Net | |
| Braintree | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| Stripe | |
| Authorize.Net | |
| eWAY Rapid | |
| SagePay | |
| Authorize.Net | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| SagePay | |
| Westpac PayWay | |
| payfort | |
| PayPal | |
| Authorize.Net | |
| Stripe | |
| First Data Global Gateway | |
| PsiGate | |
| Authorize.Net | |
| Authorize.Net | |
| moneris | |
| Authorize.Net | |
| SagePay | |
| Verisign | |
| moneris | |
| PayPal | |
| Link Point | |
| Westpac PayWay | |
| Authorize.Net | |
| moneris | |
| PayPal | |
| Adyen | |
| PayPal | |
| Authorize.Net | |
| USAePay | |
| EBizCharge | |
| Authorize.Net | |
| Verisign | |
| Verisign | |
| Authorize.Net | |
| PayPal | |
| moneris | |
| Authorize.Net | |
| PayPal | |
| PayPal | |
| Westpac PayWay | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| PayPal | |
| payfort | |
| Cyber Source | |
| PayPal PayflowPro | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Authorize.Net | |
| Stripe | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Authorize.Net | |
| Authorize.Net | |
| PayPal | |
| Flint | |
| PayPal | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| Stripe | |
| Fat Zebra | |
| SagePay | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| eWAY Rapid | |
| Adyen | |
| PayPal | |
| QuickBooks Merchant Services | |
| Verisign | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Authorize.Net | |
| eWAY Rapid | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Cyber Source | |
| Authorize.Net | |
| SagePay | |
| Realex | |
| Cyber Source | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Rapid | |
| SagePay | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| moneris | |
| Authorize.Net | |
| PayPal |
Password sniffer
One of the advantages of JavaScript sniffers that work on the client side of a website is its versatility: malicious code embedded on a website can steal any type of data, be it payment information or a login and password from a user account. Group-IB specialists discovered a sample of a sniffer belonging to the ReactGet family, designed to steal email addresses and passwords of site users.
Intersection with ImageID sniffer
During the analysis of one of the infected stores, it was found that its website was infected twice: in addition to the malicious code of the ReactGet family sniffer, the code of the ImageID family sniffer was found. This overlap could be evidence that the operators behind the use of both sniffers are using similar techniques to inject malicious code.
Universal sniffer
During the analysis of one of the domain names related to the ReactGet sniffer infrastructure, it was found that the same user registered three other domain names. These three domains imitated the domains of real-life sites and were previously used to host sniffers. When analyzing the code of three legitimate sites, an unknown sniffer was found, and further analysis showed that this is an improved version of the ReactGet sniffer. All previously tracked versions of this family of sniffers were targeted at a single payment system, that is, a special version of the sniffer was required for each payment system. However, in this case, a universal version of the sniffer was discovered, capable of stealing information from forms related to 15 different payment systems and modules of ecommerce sites for online payments.
So, at the beginning of the work, the sniffer searched for basic form fields containing the victim's personal information: full name, physical address, phone number.
The sniffer then searched over 15 different prefixes corresponding to different payment systems and modules for online payments.
Next, the victim’s personal data and payment information were collected together and sent to a site controlled by the attacker: in this particular case, two versions of the ReactGet universal sniffer were found located on two different hacked sites. However, both versions sent the stolen data to the same hacked site. zoobashop.com.
An analysis of the prefixes used by the sniffer to find fields containing the victim's payment information determined that this sniffer sample targeted the following payment systems:
- Authorize.Net
- Verisign
- First Data
- USAePay
- Stripe
- PayPal
- ANZ eGate
- Braintree
- Data Cash (MasterCard)
- Realex Payments
- PsiGate
- Heartland Payment Systems
What tools are used to steal payment information
The first tool discovered during the analysis of the attackers' infrastructure serves to obfuscate malicious scripts responsible for stealing bank cards. A bash script using the project's CLI was found on one of the attackers' hosts. to automate sniffer code obfuscation.
The second discovered tool is designed to generate the code responsible for loading the main sniffer. This tool generates a JavaScript code that checks if the user is on the checkout page by searching the user's current address for the strings checkout, cart and so on, and if the result is positive, then the code loads the main sniffer from the intruder's server. To hide malicious activity, all lines, including test lines for determining the payment page, as well as a link to the sniffer, are encoded using base64.
Phishing attacks
During the analysis of the network infrastructure of the attackers, it was found that the criminal group often uses phishing to gain access to the administrative panel of the target online store. The attackers register a domain that looks like a store domain and then deploy a fake Magento admin login form on it. If successful, the attackers will gain access to the Magento CMS admin panel, which gives them the ability to edit site components and implement a sniffer to steal credit card data.
Infrastructure
| Domain Name | Date of discovery/appearance |
|---|---|
| mediapack.info | 04.05.2017 |
| adsgetapi.com | 15.06.2017 |
| simcounter.com | 14.08.2017 |
| mageanalytics.com | 22.12.2017 |
| maxstatics.com | 16.01.2018 |
| reactjsapi.com | 19.01.2018 |
| mxcounter.com | 02.02.2018 |
| apitstatus.com | 01.03.2018 |
| orderracker.com | 20.04.2018 |
| tagtracking.com | 25.06.2018 |
| adsapigate.com | 12.07.2018 |
| trusttracker.com | 15.07.2018 |
| fbstatspartner.com | 02.10.2018 |
| billgetstatus.com | 12.10.2018 |
| www.aldenmlilhouse.com | 20.10.2018 |
| balletbeautlful.com | 20.10.2018 |
| bargalnjunkie.com | 20.10.2018 |
| payselector.com | 21.10.2018 |
| tagsmediaget.com | 02.11.2018 |
| hs-payments.com | 16.11.2018 |
| ordercheckpays.com | 19.11.2018 |
| geisseie.com | 24.11.2018 |
| gtmproc.com | 29.11.2018 |
| livegetpay.com | 18.12.2018 |
| sydneysalonsupplies.com | 18.12.2018 |
| newrelicnet.com | 19.12.2018 |
| nr-public.com | 03.01.2019 |
| cloudodesc.com | 04.01.2019 |
| ajaxstatic.com | 11.01.2019 |
| livecheckpay.com | 21.01.2019 |
| asianfoodgracer.com | 25.01.2019 |
G-Analytics family
This family of sniffers is used to steal customer cards from online stores. The very first domain name used by the group was registered in April 2016, which may indicate the beginning of the group's activity in mid-2016.
In the current campaign, the group uses domain names that mimic real-life services such as Google Analytics and jQuery, masking sniffer activity with legitimate scripts and legitimate-looking domain names. Websites running under CMS Magento were attacked.
How G-Analytics is implemented in the online store code
A distinctive feature of this family is the use of various methods of stealing user payment information. In addition to the classic JavaScript injection into the client side of the site, the criminal group also used the technique of injecting code into the server side of the site, namely PHP scripts that process user input. This technique is dangerous in that it makes it difficult for third-party researchers to detect malicious code. Group-IB specialists discovered a version of the sniffer embedded in the PHP code of the site, using the domain as a gate dittm.org.
An early version of a sniffer was also discovered that uses the same domain to collect stolen data. dittm.org, but this version is already intended for installation on the client side of the online store.
Later, the group changed its tactics and began to pay more attention to the concealment of malicious activity and camouflage.
In early 2017, the group began using the domain jquery-js.commasquerading as CDN for jQuery: redirects the user to a legitimate site when going to a malicious site jquery.com.
And in mid-2018, the group adopted a domain name g-analytics.com and began to disguise the activity of the sniffer as a legitimate Google Analytics service.
Version Analysis
During the analysis of the domains used to store the sniffer code, it was found that the site has a large number of versions that differ in the presence of obfuscation, as well as the presence or absence of unreachable code added to the file to distract attention and hide malicious code.
Total on the site jquery-js.com six versions of sniffers were identified. These sniffers send the stolen data to an address located on the same site as the sniffer itself: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Later domain g-analytics.com, used by the group in attacks since mid-2018, serves as a repository for more sniffers. In total, 16 different versions of the sniffer were discovered. In this case, the gate for sending the stolen data was disguised as a link to an image of the format GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Monetization of stolen data
The criminal group monetizes the stolen data by selling cards through a specially created underground store that provides services to carders. An analysis of the domains used by the attackers made it possible to determine that google-analytics.cm was registered by the same user as the domain cardz.vc. Domain cardz.vc refers to Cardsurfs (Flysurfs), a store selling stolen bank cards, which gained popularity during the AlphaBay underground marketplace as a store selling bank cards stolen using a sniffer.
Analyzing the domain analytical.is, located on the same server as the domains used by the sniffers to collect stolen data, Group-IB specialists discovered a file containing Cookie stealer logs, which, it seems, was later abandoned by the developer. One of the entries in the log contained a domain iozoz.com, which was previously used in one of the sniffers active in 2016. Presumably, this domain was previously used by an attacker to collect cards stolen using a sniffer. This domain was registered to an email address [email protected], which was also used to register domains cardz.su и cardz.vcrelated to the Cardsurfs carding shop.
Based on the data obtained, it can be assumed that the G-Analytics sniffer family and the underground Cardsurfs bank card store are run by the same people, and the store is used to sell bank cards stolen using a sniffer.
Infrastructure
| Domain Name | Date of discovery/appearance |
|---|---|
| iozoz.com | 08.04.2016 |
| dittm.org | 10.09.2016 |
| jquery-js.com | 02.01.2017 |
| g-analytics.com | 31.05.2018 |
| google-analytics.is | 21.11.2018 |
| analytical.to | 04.12.2018 |
| google-analytics.to | 06.12.2018 |
| google-analytics.cm | 28.12.2018 |
| analytical.is | 28.12.2018 |
| googlelc-analytics.cm | 17.01.2019 |
Illum family
Illum is a family of sniffers used to attack online stores running Magento CMS. In addition to the introduction of malicious code, the operators of this sniffer also use the introduction of full-fledged fake payment forms that send data to gates controlled by attackers.
When analyzing the network infrastructure used by the operators of this sniffer, a large number of malicious scripts, exploits, fake payment forms were noted, as well as a collection of examples with malicious sniffer competitors. Based on the information about the dates of appearance of the domain names used by the group, it can be assumed that the start of the campaign falls on the end of 2016.
How Illum is implemented in the code of an online store
The first discovered versions of the sniffer were embedded directly into the code of the compromised site. The stolen data was sent to cdn.illum[.]pw/records.php, the gate was encoded using base64.
Later, a packaged version of the sniffer was discovered using a different gate - records.nstatistics[.]com/records.php.
According to Willem de Groot, the same host was used in the sniffer that was implemented on , owned by the German political party CSU.
Attack site analysis
Group-IB specialists discovered and analyzed the site used by this criminal group to store tools and collect stolen information.
Among the tools found on the attacker's server were found scripts and exploits for privilege escalation in Linux OS: for example, Linux Privilege Escalation Check Script, developed by Mike Czumak, as well as an exploit for CVE-2009-1185.
Attackers used two exploits directly to attack online stores: capable of injecting malicious code into core_config_data by exploiting CVE-2016-4010, exploits an RCE vulnerability in Magento CMS plugins, allowing arbitrary code to be executed on a vulnerable web server.
Also, during the analysis of the server, various samples of sniffers and fake payment forms were found, used by attackers to collect payment information from hacked sites. As you can see from the list below, some scripts were created individually for each hacked site, while a universal solution was used for certain CMS and payment gateways. For example, scripts segapay_standard.js и segapay_onpage.js designed to be embedded on sites using the Sage Pay payment gateway.
List of scripts for various payment gateways
| Script | Payment gateway |
|---|---|
| [.]pw/mjs_special/visiondirect.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/topdirenshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/tiendalenovo.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/pro-bolt.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/plae.co.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/ottolenghi.co.uk.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/oldtimecandy.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/mylook.ee.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/luluandsky.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/julep.com.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/gymcompany.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/grotekadoshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/fushi.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/fareastflora.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/compuindia.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs/segapay_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/segapay_onpage.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/replace_standard.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs/all_inputs.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/add_inputs_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/magento/payment_standard.js | //cdn.illum[.]pw/records.php |
| [.]pw/magento/payment_redirect.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_redcrypt.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_forminsite.js | //paymentnow[.]tk/?payment= |
Host paymentnow[.]tk, used as a gate in a script payment_forminsite.js, was discovered as subjectAltName in several certificates related to the CloudFlare service. In addition, the script was located on the host evil.js. Judging by the name of the script, it could have been used as part of exploiting CVE-2016-4010, thanks to which it is possible to inject malicious code into the footer of a site running the Magento CMS. This script used the host as a gate request.requestnet[.]tk, using the same certificate as the host paymentnow[.]tk.
Fake payment forms
The figure below shows an example of a form for entering card data. This form was used to infiltrate an online store website and steal card data.
The following figure is an example of a fake PayPal payment form that was used by attackers to infiltrate sites using this payment method.
Infrastructure
| Domain Name | Date of discovery/appearance |
|---|---|
| cdn.illum.pw | 27/11/2016 |
| records.nstatistics.com | 06/09/2018 |
| request.payrightnow.cf | 25/05/2018 |
| paymentnow.tk | 16/07/2017 |
| payment-line.tk | 01/03/2018 |
| paymentpal.cf | 04/09/2017 |
| requestnet.tk | 28/06/2017 |
CoffeeMokko family
The CoffeMokko family of sniffers designed to steal bank cards of online store users has been used since at least May 2017. Presumably, the operators of this family of sniffers are the Group 1 criminal group, described by RiskIQ experts in 2016. Websites running such CMS as Magento, OpenCart, WordPress, osCommerce, Shopify were attacked.
How CoffeMokko is embedded in the code of an online store
Operators of this family create unique sniffers for each infection: the sniffer file is located in the directory src or js on the attacker's server. Implementation into the site code is carried out by a direct link to the sniffer.
The sniffer code hard-codes the names of the form fields from which you want to steal data. The sniffer also checks if the user is on the checkout page by checking the list of keywords against the user's current address.
Some discovered versions of the sniffer were obfuscated and contained an encrypted string that stored the main array of resources: it contained the names of form fields for various payment systems, as well as the address of the gate to which the stolen data should be sent.
The stolen payment information was sent to a script on the attackers' server along the way. /savePayment/index.php or /tr/index.php. Presumably, this script is used to send data from the gate to the main server, which consolidates data from all sniffers. To hide the transmitted data, all payment information of the victim is encoded using base64, and then several character substitutions happen:
- character "e" is replaced by ":"
- the symbol "w" is replaced by "+"
- character "o" is replaced by "%"
- the character "d" is replaced by "#"
- character "a" is replaced by "-"
- the symbol "7" is replaced by "^"
- character "h" is replaced by "_"
- the "T" symbol is replaced with "@"
- the character "0" is replaced by "/"
- the character "Y" is replaced by "*"
As a result of character substitutions encoded with base64 data cannot be decoded without inverse transformation.
This is how a fragment of the sniffer code that has not been obfuscated looks like:
Infrastructure analysis
In early campaigns, the attackers registered domain names similar to those of legitimate online shopping sites. Their domain could differ from the legitimate one by one character or another TLD. Registered domains were used to store the sniffer code, the link to which was embedded in the store code.
This group also used domain names reminiscent of popular jQuery plugins (slickjs[.]org for sites using the plugin slick.js), payment gateways (sagecdn[.]org for sites using the Sage Pay payment system).
Later, the group began to create domains whose name had nothing to do with either the store's domain or the store's theme.
Each domain corresponded to the site on which the directory was created /js or / src. Sniffer scripts were stored in this directory: one sniffer for each new infection. The sniffer was introduced into the site code via a direct link, but in rare cases, attackers modified one of the site's files and added malicious code to it.
Code analysis
First Obfuscation Algorithm
In some sniffer samples of this family, the code was obfuscated and contained encrypted data necessary for the sniffer to work: in particular, the sniffer's gate address, a list of payment form fields, and in some cases, a fake payment form code. In the code inside the function, the resources were encrypted with XOR by the key that was passed as an argument to the same function.
By decrypting the string with the corresponding key, unique for each sample, you can get a string containing all the lines from the sniffer code separated by a delimiter character.
Second obfuscation algorithm
In later samples of this family of sniffers, a different obfuscation mechanism was used: in this case, the data was encrypted using a self-written algorithm. A string containing encrypted data required for the sniffer to work was passed as an argument to the decryption function.
Using the browser console, you can decrypt the encrypted data and get an array containing the sniffer resources.
Link to early MageCart attacks
In an analysis of one of the domains used by the group as a gate to collect stolen data, it was found that the infrastructure for stealing credit cards was deployed on this domain, identical to that used by Group 1, one of the first groups, RiskIQ specialists.
Two files were found on the host of the CoffeMokko sniffer family:
- mage.js — file containing Group 1 sniffer code with gate address js-cdn.link
- mag.php - PHP script responsible for collecting the data stolen by the sniffer
The contents of the mage.js file
It has also been determined that the earliest domains used by the group behind the CoffeMokko sniffer family were registered on May 17, 2017:
- link-js[.]link
- info-js[.]link
- track-js[.]link
- map-js[.]link
- smart-js[.]link
The format of these domain names is the same as the Group 1 domain names that were used in the 2016 attacks.
Based on the discovered facts, it can be assumed that there is a connection between the CoffeMokko sniffer operators and the Group 1 criminal group. Presumably, CoffeMokko operators may have borrowed tools and software to steal cards from their predecessors. However, it is more likely that the criminal group behind the use of CoffeMokko family sniffers are the same people who carried out the attacks as part of Group 1 activities. After the publication of the first report on the activities of the criminal group, all their domain names were blocked, and the tools were studied in detail and described. The group was forced to take a break, fine-tune their internal tools and rewrite the sniffer code in order to continue their attacks and remain unnoticed.
Infrastructure
| Domain Name | Date of discovery/appearance |
|---|---|
| link-js.link | 17.05.2017 |
| info-js.link | 17.05.2017 |
| track-js.link | 17.05.2017 |
| map-js.link | 17.05.2017 |
| smart-js.link | 17.05.2017 |
| adorebeauty.org | 03.09.2017 |
| security-payment.su | 03.09.2017 |
| braincdn.org | 04.09.2017 |
| sagecdn.org | 04.09.2017 |
| slickjs.org | 04.09.2017 |
| oakandfort.org | 10.09.2017 |
| citywlnery.org | 15.09.2017 |
| dobell.su | 04.10.2017 |
| childrensplayclothing.org | 31.10.2017 |
| jewsondirect.com | 05.11.2017 |
| shop-rnib.org | 15.11.2017 |
| closetlondon.org | 16.11.2017 |
| misshaus.org | 28.11.2017 |
| battery-force.org | 01.12.2017 |
| kik-vape.org | 01.12.2017 |
| greatfurnituretradingco.org | 02.12.2017 |
| etradesupply.org | 04.12.2017 |
| replacemyremote.org | 04.12.2017 |
| all-about-sneakers.org | 05.12.2017 |
| mage-checkout.org | 05.12.2017 |
| nililotan.org | 07.12.2017 |
| lamoodbighat.net | 08.12.2017 |
| walletgear.org | 10.12.2017 |
| dahlie.org | 12.12.2017 |
| davidsfootwear.org | 20.12.2017 |
| blackriverimaging.org | 23.12.2017 |
| exrpesso.org | 02.01.2018 |
| parks.su | 09.01.2018 |
| pmtonline.com | 12.01.2018 |
| otocap.org | 15.01.2018 |
| christohperward.org | 27.01.2018 |
| coffetea.org | 31.01.2018 |
| energycoffe.org | 31.01.2018 |
| energytea.org | 31.01.2018 |
| teacoffe.net | 31.01.2018 |
| adaptivecss.org | 01.03.2018 |
| coffemokko.com | 01.03.2018 |
| londontea.net | 01.03.2018 |
| ukcoffe.com | 01.03.2018 |
| labbe.biz | 20.03.2018 |
| batterynart.com | 03.04.2018 |
| btosports.net | 09.04.2018 |
| chicksaddlery.net | 16.04.2018 |
| paypaypay.org | 11.05.2018 |
| ar500arnor.com | 26.05.2018 |
| authorizecdn.com | 28.05.2018 |
| slickmin.com | 28.05.2018 |
| bannerbuzz.info | 03.06.2018 |
| kandypens.net | 08.06.2018 |
| mylrendyphone.com | 15.06.2018 |
| freshchat.info | 01.07.2018 |
| 3lift.org | 02.07.2018 |
| abtasty.net | 02.07.2018 |
| mechat.info | 02.07.2018 |
| zoplm.com | 02.07.2018 |
| zapaljs.com | 02.09.2018 |
| foodandcot.com | 15.09.2018 |
| freshdepor.com | 15.09.2018 |
| swappastore.com | 15.09.2018 |
| verywellfitness.com | 15.09.2018 |
| elegrina.com | 18.11.2018 |
| majsurplus.com | 19.11.2018 |
| top5value.com | 19.11.2018 |
Source: habr.com