Aneane e hoʻohana kēlā me kēia o mākou i nā lawelawe o nā hale kūʻai pūnaewele, ʻo ia hoʻi, ʻoi aku ka liʻiliʻi a ma hope paha e holo mākou i ka hopena o ka lilo ʻana i mea pōʻino o nā sniffers JavaScript - kahi code kūikawā e hoʻokomo ai nā mea hoʻouka i kahi pūnaewele e ʻaihue i ka ʻikepili kāleka panakō, nā helu wahi, nā inoa inoa a me nā ʻōlelo huna. .
Ma kahi kokoke i 400 mau mea hoʻohana o ka pūnaewele British Airways a me ka polokalamu kelepona ua hoʻopilikia ʻia e ka poʻe sniffers, a me ka poʻe kipa i ka pūnaewele haʻuki pilikua Pelekane FILA a me ka US ticket distributor Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - ua maʻi kēia a me nā ʻōnaehana uku ʻē aʻe.
Ke kamaʻilio nei ʻo Viktor Okorokov, ka mea kālailai ʻo Threat Intelligence Group-IB e pili ana i ke komo ʻana o nā sniffers i ka code pūnaewele a ʻaihue i ka ʻike uku, a me nā CRM a lākou e hoʻouka ai.
"Hooweliweli huna"
No ka manawa lōʻihi i noho ʻole nā JS-sniffers mai ka ʻike ʻana o nā mea loiloi anti-virus, a ʻaʻole ʻike nā panakō a me nā ʻōnaehana uku iā lākou he mea hoʻoweliweli koʻikoʻi. A makehewa loa. Pūʻulu-IB nā loea
E noʻonoʻo pono kākou i nā ʻohana ʻehā o ka poʻe sniffers i aʻo ʻia i ka wā o ke aʻo ʻana.
ʻohana ReactGet
Hoʻohana ʻia nā Sniffers o ka ʻohana ReactGet e ʻaihue i ka ʻikepili kāleka kāleka ma nā kahua kūʻai pūnaewele. Hiki i ka sniffer ke hana me ka nui o nā ʻōnaehana uku ʻokoʻa i hoʻohana ʻia ma ka pūnaewele: hoʻokahi helu parameter e pili ana i ka ʻōnaehana uku hoʻokahi, a hiki ke hoʻohana ʻia nā mana o ka sniffer i ʻike ʻia e ʻaihue i nā palapala hōʻoia, a me ka ʻaihue i ka ʻikepili kāleka panakō mai ka nā ʻano uku o nā ʻōnaehana uku i ka manawa hoʻokahi, e like me ka mea i kapa ʻia ʻo universal sniffer. Ua ʻike ʻia ma kekahi mau hihia, hoʻokō ka poʻe hoʻouka i nā hoʻouka phishing ma luna o nā luna hale kūʻai pūnaewele i mea e hiki ai ke komo i ka papa hoʻokele o ka pūnaewele.
Ua hoʻomaka ka hoʻolaha e hoʻohana ana i kēia ʻohana sniffers i Mei 2017. Ua hoʻouka ʻia nā pūnaewele e holo ana i CMS a me nā paepae Magento, Bigcommerce, Shopify.
Pehea e hoʻokomo ʻia ai ʻo ReactGet i ke code o kahi hale kūʻai pūnaewele
Ma waho aʻe o ka "classic" script injection ma ka loulou, hoʻohana nā mea hoʻohana sniffer ʻohana ReactGet i kahi ʻenehana kūikawā: me ka hoʻohana ʻana i ka code JavaScript, nānā ʻo ia inā kūpono ka helu o kēia manawa i kahi o ka mea hoʻohana. E holo wale ana ka code malicious inā loaʻa i ka URL o kēia manawa kahi substring a Kūʻai ai ole ia, hoʻokahi ʻanuʻu hōʻaiʻē, ʻaoʻao hoʻokahi/, waho/onepag, hoʻokuʻu / hoʻokahi, ckout/kahi. No laila, e hoʻokō pono ʻia ka code sniffer i ka manawa e hoʻomaka ai ka mea hoʻohana e uku no ke kūʻai ʻana a hoʻokomo i ka ʻike uku i ka palapala ma ka pūnaewele.
Ke hoʻohana nei kēia sniffer i kahi ʻenehana maʻamau. ʻOhi ʻia ka uku a me ka ʻikepili pilikino o ka mea i hōʻeha ʻia, hoʻopili ʻia me ka hoʻohana ʻana base64, a laila hoʻohana ʻia ke kaula i hoʻohālikelike ʻia e hoʻouna i kahi noi i ka pūnaewele ʻino. ʻO ka pinepine, ʻo ke ala i ka puka e hoʻohālike i kahi faila JavaScript, no ka laʻana resp.js, ʻikepili.js a pēlā aku, akā hoʻohana pū ʻia nā loulou i nā faila kiʻi, GIF и ʻO JPG. ʻO ka mea ʻokoʻa ʻo ia ka mea sniffer e hana i kahi mea kiʻi me ka nui o 1 a 1 pixel a hoʻohana i ka loulou i loaʻa mua ma ke ʻano he ʻāpana. src Nā kiʻi. ʻO ia hoʻi, no ka mea hoʻohana, e like ke noi i ke kaʻa e like me ke noi no kahi kiʻi maʻamau. Ua hoʻohana ʻia kahi ʻenehana like i ka ʻohana ImageID o nā sniffers. Eia kekahi, hoʻohana ʻia ka ʻenehana kiʻi kiʻi 1x1 i loko o nā palapala ʻikepili pūnaewele kūpono, hiki ke alakaʻi hewa i ka mea hoʻohana.
Nānā Manaʻo
Ua hōʻike ʻia kahi hōʻike ʻana o nā kāʻei kapu i hoʻohana ʻia e ReactGet sniffer operators i nā mana like ʻole o kēia ʻohana sniffers. ʻOkoʻa nā ʻano ʻokoʻa i ke alo a i ʻole ka ʻole o ka obfuscation, a he mea hou aʻe, ua hoʻolālā ʻia kēlā me kēia sniffer no kahi ʻōnaehana uku kikoʻī e hana ana i nā uku kāleka panakō no nā hale kūʻai pūnaewele. Ma hope o ka hoʻokaʻawale ʻana i ka waiwai o ka parameter e pili ana i ka helu mana, ua loaʻa i nā loea Group-IB kahi papa inoa piha o nā ʻano sniffer i loaʻa, a ma nā inoa o nā kahua puka e ʻimi ai kēlā me kēia sniffer i ka code ʻaoʻao, ua hoʻoholo lākou i nā ʻōnaehana uku. ka mea i honi ai.
Ka papa inoa o nā sniffers a me kā lākou mau ʻōnaehana uku pili
HKH Sniffer | ʻŌnaehana uku |
---|---|
|
Authorize.Net |
Kāleka | |
|
Authorize.Net |
Authorize.Net | |
|
eWAY wikiwiki |
Authorize.Net | |
Adyen | |
|
USAePay |
Authorize.Net | |
USAePay | |
|
Authorize.Net |
Moneris | |
USAePay | |
PayPal | |
Sage Uku | |
Verisign | |
PayPal | |
ka paopao | |
|
Realex |
PayPal | |
LinkPoint | |
PayPal | |
PayPal | |
waihona kālā | |
|
PayPal |
|
Authorize.Net |
|
Authorize.Net |
Authorize.Net | |
Authorize.Net | |
|
Verisign |
|
Authorize.Net |
Moneris | |
|
Sage Uku |
|
USAePay |
|
Authorize.Net |
|
Authorize.Net |
|
ANZ eGate |
|
Authorize.Net |
|
Moneris |
|
Sage Uku |
Sage Uku | |
|
Chase Paymenttech |
|
Authorize.Net |
|
Adyen |
PsiGate | |
Pūnaehana Cyber | |
ANZ eGate | |
Realex | |
|
USAePay |
|
Authorize.Net |
|
Authorize.Net |
|
ANZ eGate |
|
PayPal |
|
PayPal |
Realex | |
|
Sage Uku |
|
PayPal |
|
Verisign |
Authorize.Net | |
|
Verisign |
Authorize.Net | |
|
ANZ eGate |
PayPal | |
Pūnaehana Cyber | |
|
Authorize.Net |
|
Sage Uku |
Realex | |
|
Pūnaehana Cyber |
PayPal | |
PayPal | |
|
PayPal |
|
Verisign |
|
eWAY wikiwiki |
|
Sage Uku |
Sage Uku | |
|
Verisign |
Authorize.Net | |
Authorize.Net | |
|
ʻIkepili Mua ʻAi Moku puni honua |
Authorize.Net | |
Authorize.Net | |
Moneris | |
|
Authorize.Net |
|
PayPal |
|
Verisign |
|
USAePay |
USAePay | |
Authorize.Net | |
Verisign | |
PayPal | |
|
Authorize.Net |
ka paopao | |
|
Authorize.Net |
eWAY wikiwiki | |
|
Sage Uku |
Authorize.Net | |
|
Braintree |
|
Braintree |
|
PayPal |
|
Sage Uku |
|
Sage Uku |
|
Authorize.Net |
|
PayPal |
|
Authorize.Net |
Verisign | |
|
PayPal |
|
Authorize.Net |
|
ka paopao |
|
Authorize.Net |
eWAY wikiwiki | |
Sage Uku | |
|
Authorize.Net |
Braintree | |
|
PayPal |
|
Sage Uku |
Sage Uku | |
|
Authorize.Net |
PayPal | |
Authorize.Net | |
|
Verisign |
|
Authorize.Net |
|
Authorize.Net |
|
Authorize.Net |
|
Authorize.Net |
|
Sage Uku |
Sage Uku | |
|
ʻO Westpac PayWay |
|
uku uku |
|
PayPal |
|
Authorize.Net |
|
ka paopao |
|
ʻIkepili Mua ʻAi Moku puni honua |
|
PsiGate |
Authorize.Net | |
Authorize.Net | |
|
Moneris |
|
Authorize.Net |
Sage Uku | |
|
Verisign |
Moneris | |
PayPal | |
|
LinkPoint |
|
ʻO Westpac PayWay |
Authorize.Net | |
|
Moneris |
|
PayPal |
Adyen | |
PayPal | |
Authorize.Net | |
USAePay | |
EBizCharge | |
|
Authorize.Net |
|
Verisign |
Verisign | |
Authorize.Net | |
|
PayPal |
|
Moneris |
Authorize.Net | |
|
PayPal |
PayPal | |
ʻO Westpac PayWay | |
Authorize.Net | |
|
Authorize.Net |
Sage Uku | |
|
Verisign |
|
Authorize.Net |
|
PayPal |
|
uku uku |
Pūnaehana Cyber | |
PayPal Payflow Pro | |
|
Authorize.Net |
|
Authorize.Net |
Verisign | |
|
Authorize.Net |
|
Authorize.Net |
Sage Uku | |
Authorize.Net | |
|
ka paopao |
|
Authorize.Net |
Authorize.Net | |
Verisign | |
|
PayPal |
Authorize.Net | |
|
Authorize.Net |
Sage Uku | |
|
Authorize.Net |
|
Authorize.Net |
|
PayPal |
|
pohaku paea la |
|
PayPal |
Sage Uku | |
Verisign | |
|
Authorize.Net |
|
Authorize.Net |
|
ka paopao |
|
Zebra momona |
Sage Uku | |
|
Authorize.Net |
ʻIkepili Mua ʻAi Moku puni honua | |
|
Authorize.Net |
|
eWAY wikiwiki |
Adyen | |
|
PayPal |
Nā lawelawe Merchant ʻo QuickBooks | |
Verisign | |
|
Sage Uku |
Verisign | |
|
Authorize.Net |
|
Authorize.Net |
Sage Uku | |
|
Authorize.Net |
|
eWAY wikiwiki |
Authorize.Net | |
|
ANZ eGate |
|
PayPal |
Pūnaehana Cyber | |
|
Authorize.Net |
Sage Uku | |
|
Realex |
Pūnaehana Cyber | |
|
PayPal |
|
PayPal |
|
PayPal |
|
Verisign |
eWAY wikiwiki | |
|
Sage Uku |
|
Sage Uku |
|
Verisign |
Authorize.Net | |
|
Authorize.Net |
|
ʻIkepili Mua ʻAi Moku puni honua |
Authorize.Net | |
Authorize.Net | |
|
Moneris |
|
Authorize.Net |
|
PayPal |
Huhu huna huna
ʻO kekahi o nā mea maikaʻi o ka JavaScript sniffers e hana ana ma ka ʻaoʻao o ka mea kūʻai aku o kahi pūnaewele ʻo ia ka versatility: hiki i nā code malicious i hoʻokomo ʻia ma kahi pūnaewele ke ʻaihue i kēlā me kēia ʻano o ka ʻikepili, ʻo ia ka ʻike uku a i ʻole ka login a me ka ʻōlelo huna mai kahi moʻokāki mea hoʻohana. Ua ʻike ka poʻe loea o Group-IB i kahi laʻana o ka sniffer no ka ʻohana ReactGet, i hoʻolālā ʻia e ʻaihue i nā leka uila a me nā ʻōlelo huna o nā mea hoʻohana pūnaewele.
Ke kuʻina me ImageID sniffer
I ka wā o ka nānā ʻana i kekahi o nā hale kūʻai maʻi, ua ʻike ʻia ua loaʻa ʻelua maʻi kāna pūnaewele: ma kahi o ka code malicious o ka ʻohana sniffer ReactGet, ua loaʻa ke code o ka ʻohana sniffer ImageID. He hōʻike paha kēia overlap e hoʻohana ana nā mea hoʻohana ma hope o nā sniffer ʻelua i nā ʻenehana like e hoʻokomo i nā code malicious.
Hoʻohuhi honua
I ka wā o ka nānā ʻana i kekahi o nā inoa kikowaena e pili ana i ka ReactGet sniffer infrastructure, ua ʻike ʻia ua hoʻopaʻa inoa ka mea hoʻohana hoʻokahi i ʻekolu mau inoa kikowaena ʻē aʻe. Ua hoʻohālike kēia mau kāʻei kapu ʻekolu i nā kāʻei kapu o nā pūnaewele ola maoli a ua hoʻohana mua ʻia e hoʻokipa i nā sniffers. I ka nānā ʻana i ke code o ʻekolu mau kahua kūpono, ua loaʻa kahi sniffer ʻike ʻole ʻia, a hōʻike hou ʻia ka hōʻike ʻana he mana maikaʻi kēia o ka ReactGet sniffer. ʻO nā mana āpau i nānā mua ʻia o kēia ʻohana sniffers i hoʻopaʻa ʻia i kahi ʻōnaehana uku hoʻokahi, ʻo ia hoʻi, koi ʻia kahi mana kūikawā o ka sniffer no kēlā me kēia ʻōnaehana uku. Eia nō naʻe, i kēia hihia, ua ʻike ʻia kahi mana āpau o ka sniffer, hiki ke ʻaihue i ka ʻike mai nā palapala e pili ana i nā ʻōnaehana uku like ʻole 15 a me nā modula o nā pūnaewele ecommerce no ka uku pūnaewele.
No laila, i ka hoʻomaka ʻana o ka hana, ua ʻimi ka sniffer i nā kahua puka kumu i loaʻa ka ʻike pilikino o ka mea i pepehi ʻia: inoa piha, helu kino, helu kelepona.
A laila ʻimi ka sniffer ma luna o 15 mau prefix like ʻole e pili ana i nā ʻōnaehana uku like ʻole a me nā modula no nā uku pūnaewele.
Ma hope aʻe, ua hōʻiliʻili ʻia ka ʻikepili pilikino a me ka ʻike uku a hoʻouna ʻia i kahi pūnaewele i hoʻomalu ʻia e ka mea hoʻouka: i kēia hihia, ʻelua mau mana o ka ReactGet universal sniffer i loaʻa ma nā pūnaewele hacked ʻelua. Eia naʻe, ua hoʻouna nā mana ʻelua i ka ʻikepili i ʻaihue ʻia i ka pūnaewele hacked like. zoobashop.com.
ʻO ka nānā ʻana o nā prefixes i hoʻohana ʻia e ka sniffer no ka ʻimi ʻana i nā kahua i loaʻa ka ʻike uku o ka mea i hoʻopaʻi ʻia i hoʻoholo ʻia ua hoʻopaʻa ʻia kēia hāpana sniffer i nā ʻōnaehana uku:
- Authorize.Net
- Verisign
- ʻIkepili Mua
- USAePay
- ka paopao
- PayPal
- ANZ eGate
- Braintree
- ʻIkepili kālā (MasterCard)
- Uku Realex
- PsiGate
- Pūnaehana Uku Heartland
He aha nā mea hana i hoʻohana ʻia e ʻaihue i ka ʻike uku
ʻO ka mea hana mua i ʻike ʻia i ka wā o ka nānā ʻana i nā ʻōnaehana o ka poʻe hoʻouka kaua e hoʻokaʻawale i nā palapala hōʻino i kuleana no ka ʻaihue ʻana i nā kāleka panakō. Ua loaʻa kahi palapala bash e hoʻohana ana i ka CLI o ka papahana ma kekahi o nā mea hoʻouka kaua.
Hoʻolālā ʻia ka lua o ka mea hana i ʻike ʻia e hana i ke code kuleana no ka hoʻouka ʻana i ka sniffer nui. Hoʻopuka kēia mea hana i kahi code JavaScript e nānā inā aia ka mea hoʻohana ma ka ʻaoʻao hoʻokuʻu ma ka ʻimi ʻana i ka helu o ka mea hoʻohana i kēia manawa no nā kaula. a Kūʻai, kaʻa a pēlā aku, a inā maikaʻi ka hopena, a laila hoʻouka ke code i ka sniffer nui mai ke kikowaena o ka mea komo. No ka hūnā ʻana i ka hana ʻino, ua hoʻopili ʻia nā laina āpau, me nā laina hoʻāʻo no ka hoʻoholo ʻana i ka ʻaoʻao uku, a me kahi loulou i ka sniffer. base64.
Hoʻouka phishing
I ka wā o ka nānā ʻana i ka ʻenehana pūnaewele o nā mea hoʻouka, ua ʻike ʻia ua hoʻohana pinepine ka hui hewa i ka phishing e loaʻa ai ke komo i ka papa hoʻokele o ka hale kūʻai pūnaewele. Hoʻopaʻa inoa ka poʻe hoʻouka i kahi kikowaena e like me kahi kahua hale kūʻai a laila e kau i kahi palapala hoʻopaʻa inoa Magento hoʻopunipuni ma luna. Inā kūleʻa, e loaʻa i nā mea hoʻouka ke komo i ka panel admin Magento CMS, e hāʻawi iā lākou i ka hiki ke hoʻoponopono i nā ʻāpana pūnaewele a hoʻokō i kahi sniffer e ʻaihue i ka ʻikepili kāleka hōʻaiʻē.
Kāpena
Pūnaewele | Ka lā i ʻike ʻia ai |
---|---|
mediapack.info | 04.05.2017 |
adsgetapi.com | 15.06.2017 |
simcounter.com | 14.08.2017 |
mageanalytics.com | 22.12.2017 |
maxstatics.com | 16.01.2018 |
reactjsapi.com | 19.01.2018 |
mxcounter.com | 02.02.2018 |
apitstatus.com | 01.03.2018 |
orderracker.com | 20.04.2018 |
tagtracking.com | 25.06.2018 |
adsapgate.com | 12.07.2018 |
trusttracker.com | 15.07.2018 |
fbstatspartner.com | 02.10.2018 |
billgetstatus.com | 12.10.2018 |
www.aldenmlilhouse.com | 20.10.2018 |
balletbeautlful.com | 20.10.2018 |
bargaljunkie.com | 20.10.2018 |
payselector.com | 21.10.2018 |
tagsmediaget.com | 02.11.2018 |
hs-payments.com | 16.11.2018 |
ordercheckpays.com | 19.11.2018 |
geisseie.com | 24.11.2018 |
gtmproc.com | 29.11.2018 |
livegetpay.com | 18.12.2018 |
sydneysalonsupplies.com | 18.12.2018 |
newrelicnet.com | 19.12.2018 |
nr-public.com | 03.01.2019 |
cloudodesc.com | 04.01.2019 |
ajaxstatic.com | 11.01.2019 |
livecheckpay.com | 21.01.2019 |
asianfoodgracer.com | 25.01.2019 |
ʻOhana G-Analytics
Hoʻohana ʻia kēia ʻohana sniffers e ʻaihue i nā kāleka mea kūʻai mai nā hale kūʻai pūnaewele. Ua hoʻopaʻa inoa ʻia ka inoa kikowaena mua loa i hoʻohana ʻia e ka hui ma ʻApelila 2016, kahi e hōʻike ai i ka hoʻomaka ʻana o ka hana a ka hui ma waena o 2016.
Ma ka hoʻolaha o kēia manawa, hoʻohana ka hui i nā inoa kikowaena e hoʻohālike i nā lawelawe ola maoli e like me Google Analytics a me jQuery, masking sniffer activity me nā palapala kūpono a me nā inoa inoa kikowaena kūpono. Ua hoʻouka ʻia nā pūnaewele e holo ana ma lalo o CMS Magento.
Pehea e hoʻokō ʻia ai ʻo G-Analytics ma ke code hale kūʻai pūnaewele
ʻO kahi hiʻohiʻona ʻokoʻa o kēia ʻohana ka hoʻohana ʻana i nā ʻano hana like ʻole o ka ʻaihue ʻana i ka ʻike uku mea hoʻohana. Ma waho aʻe o ka hoʻokomo JavaScript maʻamau i ka ʻaoʻao o ka mea kūʻai aku o ka pūnaewele, ua hoʻohana pū ka hui hewa i ke ʻano o ka hoʻokomo ʻana i ke code i ka ʻaoʻao kikowaena o ka pūnaewele, ʻo ia hoʻi nā palapala PHP e hana ana i ka hoʻokomo ʻana o ka mea hoʻohana. He mea weliweli kēia ʻenehana no ka mea he mea paʻakikī i nā mea noiʻi ʻaoʻao ʻekolu ke ʻike i nā code malicious. Ua ʻike ka poʻe loea Group-IB i kahi mana o ka sniffer i hoʻokomo ʻia i ka code PHP o ka pūnaewele, me ka hoʻohana ʻana i ka domain ma ke ʻano he puka. dittm.org.
Ua ʻike ʻia kahi mana mua o kahi sniffer e hoʻohana ana i ka waihona like e hōʻiliʻili i ka ʻikepili ʻaihue. dittm.org, akā ua manaʻo ʻia kēia mana no ka hoʻokomo ʻana ma ka ʻaoʻao o ka mea kūʻai aku o ka hale kūʻai pūnaewele.
Ma hope mai, ua hoʻololi ka hui i kāna mau hana a hoʻomaka i ka nānā ʻana i ka hūnā ʻana i ka hana ʻino a me ka camouflage.
I ka hoʻomaka ʻana o 2017, hoʻomaka ka hui e hoʻohana i ka domain jquery-js.come hoʻopololei ana ma ke ʻano he CDN no jQuery: hoʻihoʻi hou i ka mea hoʻohana i kahi pūnaewele kūpono i ka wā e hele ai i kahi pūnaewele ʻino. jquery.com.
A i ka waena o 2018, ua lawe ka hui i kahi inoa inoa g-analytics.com a hoʻomaka e hūnā i ka hana a ka sniffer ma ke ʻano he lawelawe Google Analytics pono.
Nānā Manaʻo
I ka wā o ka nānā ʻana i nā kikowaena i hoʻohana ʻia no ka mālama ʻana i ke code sniffer, ua ʻike ʻia he nui nā ʻano o ka pūnaewele i ʻokoʻa i ke alo o ka obfuscation, a me ka hele ʻana a i ʻole ka loaʻa ʻole o ka code unreachable i hoʻohui ʻia i ka faila e hoʻohuli i ka nānā. a hūnā i nā code ʻino.
Huina ma ka paena jquery-js.com ua ʻike ʻia nā ʻano ʻeono o nā sniffers. Hoʻouna kēia poʻe sniffer i ka ʻikepili i ʻaihue ʻia i kahi helu wahi ma ka pūnaewele like me ka sniffer ponoʻī: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Kāpena hope g-analytics.com, i hoʻohana ʻia e ka hui i nā hoʻouka kaua mai ka waena o 2018, lawelawe ʻo ia ma kahi waihona no nā mea ʻala hou aku. I ka huina, ua ʻike ʻia he 16 mau ʻano like ʻole o ka sniffer. I kēia hihia, ua hūnā ʻia ka puka no ka hoʻouna ʻana i ka ʻikepili i ʻaihue ʻia ma ke ʻano he loulou i kahi kiʻi o ke ʻano. GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Monetization o nā ʻikepili ʻaihue
Hoʻolilo ka hui hewa i ka ʻikepili i ʻaihue ʻia ma ke kūʻai ʻana aku i nā kāleka ma o kahi hale kūʻai lalo i hana ʻia e hāʻawi i nā lawelawe i nā kāleka. ʻO kahi loiloi o nā kāʻei kua i hoʻohana ʻia e nā mea hoʻouka i hiki ke hoʻoholo i kēlā google-analytics.cm ua hoʻopaʻa inoa ʻia e ka mea hoʻohana like me ka domain cardz.vc. Domain cardz.vc pili i Cardsurfs (Flysurfs), he hale kūʻai e kūʻai aku ana i nā kāleka panakō ʻaihue, i loaʻa ka kaulana i ka wā o ka mākeke ma lalo o AlphaBay ma ke ʻano he hale kūʻai e kūʻai aku ana i nā kāleka panakō i ʻaihue ʻia me ka hoʻohana ʻana i ka sniffer.
Ke kālailai ʻana i ke kahua analytical.is, aia ma ka kikowaena like me nā kāʻei kapu i hoʻohana ʻia e ka poʻe sniffers no ka hōʻiliʻili ʻana i ka ʻikepili i ʻaihue ʻia, ua ʻike ka poʻe loea Group-IB i kahi faila i loaʻa nā lāʻau ʻaihue Kuki, me he mea lā, ua haʻalele ʻia e ka mea hoʻomohala. ʻO kekahi o nā mea i hoʻokomo ʻia i loko o ka lāʻau i loaʻa kahi kikowaena iozoz.com, ka mea i hoʻohana mua ʻia ma kekahi o nā sniffers e hana nei ma 2016. Manaʻo paha, ua hoʻohana mua ʻia kēia kahua e ka mea hoʻouka e hōʻiliʻili i nā kāleka i ʻaihue ʻia me ka hoʻohana ʻana i kahi sniffer. Ua hoʻopaʻa inoa ʻia kēia kahua i kahi leka uila [pale ʻia ka leka uila], i hoʻohana pū ʻia e hoʻopaʻa inoa i nā kāʻei kapu cardz.su и cardz.vcpili i ka hale kūʻai kāleka Cardsurfs.
Ma muli o ka ʻikepili i loaʻa, hiki ke manaʻo ʻia ʻo ka ʻohana sniffer G-Analytics a me ka hale kūʻai kāleka kāleka Cardsurfs ma lalo o ka honua e holo ʻia e nā poʻe like, a ua hoʻohana ʻia ka hale kūʻai e kūʻai aku i nā kāleka panakō i ʻaihue ʻia me ka hoʻohana ʻana i kahi sniffer.
Kāpena
Pūnaewele | Ka lā i ʻike ʻia ai |
---|---|
iozoz.com | 08.04.2016 |
dittm.org | 10.09.2016 |
jquery-js.com | 02.01.2017 |
g-analytics.com | 31.05.2018 |
google-analytics.is | 21.11.2018 |
kālailai.to | 04.12.2018 |
google-analytics.to | 06.12.2018 |
google-analytics.cm | 28.12.2018 |
analytical.is | 28.12.2018 |
googlelc-analytics.cm | 17.01.2019 |
ʻOhana Illum
ʻO Illum kahi ʻohana o nā sniffers i hoʻohana ʻia e hoʻouka i nā hale kūʻai pūnaewele e holo ana i Magento CMS. Ma waho aʻe o ka injecting malicious code, hoʻohana nā mea hoʻohana o kēia sniffer i ka hoʻokomo ʻana i nā palapala uku hoʻopunipuni piha e hoʻouna ana i ka ʻikepili i nā ʻīpuka i hoʻomalu ʻia e nā mea hoʻouka.
I ka nānā ʻana i ka ʻoihana pūnaewele i hoʻohana ʻia e nā mea hoʻohana o kēia sniffer, ua ʻike ʻia ka nui o nā palapala hōʻino, nā hana hoʻopunipuni, nā palapala uku hoʻopunipuni, a me ka hōʻiliʻili o nā hiʻohiʻona me nā mea hoʻokūkū hoʻopunipuni. Ma muli o ka ʻike e pili ana i nā lā i ʻike ʻia ai nā inoa inoa i hoʻohana ʻia e ka hui, hiki ke manaʻo ʻia e hāʻule ka hoʻomaka o ka hoʻolaha i ka hopena o 2016.
Pehea e hoʻokō ʻia ai ʻo Illum ma ke code o kahi hale kūʻai pūnaewele
ʻO nā mana mua i ʻike ʻia o ka sniffer ua hoʻokomo pololei ʻia i loko o ke code o ka pūnaewele i hoʻopaʻa ʻia. Ua hoʻouna ʻia ka ʻikepili i ʻaihue ʻia i cdn.illum[.]pw/records.php, ua hoʻopili ʻia ka ʻīpuka me ka hoʻohana ʻana base64.
Ma hope mai, ua ʻike ʻia kahi ʻano paʻa o ka sniffer me ka hoʻohana ʻana i kahi puka ʻokoʻa - records.nstatistics[.]com/records.php.
Wahi a
Hoʻopaʻapaʻa kahua hoʻouka
Ua ʻike a kālailai ka poʻe loea Group-IB i ka pūnaewele i hoʻohana ʻia e kēia hui lawehala e mālama i nā mea hana a hōʻiliʻili i ka ʻike ʻaihue.
Ma waena o nā mea hana i loaʻa ma ke kikowaena o ka mea hoʻouka i loaʻa nā palapala a me ka hoʻohana ʻana no ka piʻi ʻana o ka pono ma Linux OS: no ka laʻana, Linux Privilege Escalation Check Script, i hoʻomohala ʻia e Mike Czumak, a me kahi hoʻohana no CVE-2009-1185.
Ua hoʻohana pololei ʻia nā mea hoʻouka kaua ʻelua e kūʻē i nā hale kūʻai pūnaewele:
Eia kekahi, i ka wā o ka nānā ʻana o ke kikowaena, ua ʻike ʻia nā ʻano like ʻole o nā sniffers a me nā palapala uku hoʻopunipuni, hoʻohana ʻia e nā mea hoʻouka e hōʻiliʻili i ka ʻike uku mai nā pūnaewele hacked. E like me kāu e ʻike ai mai ka papa inoa ma lalo nei, ua hana ʻia kekahi mau palapala no kēlā me kēia pūnaewele hacked, ʻoiai ua hoʻohana ʻia kahi hopena honua no kekahi mau CMS a me nā puka uku. No ka laʻana, palapala segapay_standard.js и segapay_onpage.js i hoʻolālā ʻia e hoʻopili ʻia ma nā pūnaewele me ka hoʻohana ʻana i ka puka uku uku Sage Pay.
Ka papa inoa o nā palapala no nā ʻīpuka uku like ʻole
Palapala | Uku Uku |
---|---|
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//cdn.illum[.]pw/records.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//cdn.illum[.]pw/records.php |
//payrightnow[.]cf/?payment= | |
|
//payrightnow[.]cf/?payment= |
|
//paymentnow[.]tk/?payment= |
Mea Hoʻokipa uku i kēia manawa[.]tk, hoʻohana ʻia ma ke ʻano he puka ma kahi palapala payment_forminsite.js, ua ʻike ʻia e like me kumuhanaAltName i kekahi mau palapala hōʻoia e pili ana i ka lawelawe CloudFlare. Eia kekahi, aia ka palapala ma ka mea hoʻokipa ino.js. Ma ka hoʻoholo ʻana ma ka inoa o ka palapala, hiki ke hoʻohana ʻia ma ke ʻano he ʻāpana o ka hoʻohana ʻana iā CVE-2016-4010, mahalo i hiki iā ʻoe ke hoʻokomo i ka code malicious i ka wāwae o kahi pūnaewele e holo ana i Magento CMS. Ua hoʻohana kēia palapala i ka mea hoʻokipa ma ke ʻano he puka noi.requestnet[.]tk, e hoʻohana ana i ka palapala hōʻoia like me ka mea hoʻokipa uku i kēia manawa[.]tk.
Nā palapala uku hoʻopunipuni
Hōʻike ka kiʻi ma lalo i kahi laʻana o kahi palapala no ke komo ʻana i ka ʻikepili kāleka. Ua hoʻohana ʻia kēia palapala no ke komo ʻana i kahi pūnaewele hale kūʻai pūnaewele a ʻaihue i ka ʻikepili kāleka.
ʻO ke kiʻi ma lalo nei he laʻana o kahi palapala uku PayPal hoʻopunipuni i hoʻohana ʻia e nā mea hoʻouka e hoʻokomo i nā pūnaewele me ka hoʻohana ʻana i kēia ʻano uku.
Kāpena
Pūnaewele | Ka lā i ʻike ʻia ai |
---|---|
cdn.illum.pw | 27/11/2016 |
records.nstatistics.com | 06/09/2018 |
noi.payrightnow.cf | 25/05/2018 |
paymentnow.tk | 16/07/2017 |
laina uku.tk | 01/03/2018 |
paymentpal.cf | 04/09/2017 |
requestnet.tk | 28/06/2017 |
ʻohana CoffeeMokko
Ua hoʻohana ʻia ka ʻohana CoffeMokko o nā sniffers e ʻaihue i nā kāleka panakō o nā mea hoʻohana hale kūʻai pūnaewele mai ka liʻiliʻi o Mei 2017. Manaʻo paha, ʻo ka hui hewa ʻo Group 1 i wehewehe ʻia e ka poʻe loea RiskIQ ma 2016 ka mea hoʻokele o kēia ʻohana sniffers. Ua hoʻouka ʻia nā pūnaewele e holo ana e like me CMS e like me Magento, OpenCart, WordPress, osCommerce, Shopify.
Pehea e hoʻokomo ʻia ai ʻo CoffeMokko i ke code o kahi hale kūʻai pūnaewele
Hoʻokumu nā mea hana o kēia ʻohana i nā sniffer kūʻokoʻa no kēlā me kēia maʻi: aia ka faila sniffer i ka papa kuhikuhi. src ai ole ia, js ma ke kikowaena o ka mea hoouka. Hoʻokō ʻia ka hoʻokō ʻana i ka code pūnaewele e kahi loulou pololei i ka sniffer.
Hoʻopili paʻa ka code sniffer i nā inoa o nā kahua puka āu e makemake ai e ʻaihue i ka ʻikepili. ʻIke pū ka sniffer inā aia ka mea hoʻohana ma ka ʻaoʻao hōʻaiʻē ma ka nānā ʻana i ka papa inoa o nā huaʻōlelo e pili ana i ka helu wahi o ka mea hoʻohana.
Ua ʻike ʻia kekahi mau ʻano o ka sniffer a loaʻa i kahi kaula i hoʻopili ʻia e mālama ai i ka nui o nā kumuwaiwai: aia nā inoa o nā kahua puka no nā ʻōnaehana uku like ʻole, a me ka helu o ka ʻīpuka kahi e hoʻouna ʻia ai nā ʻikepili ʻaihue.
Ua hoʻouna ʻia ka ʻike kālā i ʻaihue ʻia i kahi palapala ma ke kikowaena o nā mea hoʻouka ma ke ala. /savePayment/index.php a i ʻole /tr/index.php. Manaʻo paha, hoʻohana ʻia kēia palapala no ka hoʻouna ʻana i ka ʻikepili mai ka ʻīpuka i ke kikowaena nui, kahi e hoʻohui ai i ka ʻikepili mai nā sniffers āpau. No ka hūnā ʻana i ka ʻikepili i hoʻouna ʻia, hoʻopili ʻia nā ʻike uku a pau o ka mea i pepehi ʻia base64, a laila hiki mai kekahi mau mea hoʻololi:
- Ua pani ʻia ke ʻano "e" e ":"
- Ua pani ʻia ka hōʻailona "w" e "+"
- Ua pani ʻia ka huaʻōlelo "o" e "%"
- Ua pani ʻia ke ʻano "d" e "#"
- Ua pani ʻia ka huaʻōlelo "a" e "-"
- Ua pani ʻia ka hōʻailona "7" e "^"
- Ua pani ʻia ka huaʻōlelo "h" e "_"
- Ua pani ʻia ka hōʻailona "T" me "@"
- Ua pani ʻia ke ʻano "0" e "/"
- Ua pani ʻia ke ʻano "Y" e "*"
Ma muli o ka hoʻololi ʻana i ke ʻano i hoʻopaʻa ʻia me base64 ʻAʻole hiki ke wehe ʻia ka ʻikepili me ka ʻole o ka hoʻololi ʻana.
ʻO kēia ke ʻano o kahi ʻāpana o ka code sniffer i ʻike ʻole ʻia:
Ka nānā ʻana i nā mea hana
I nā hoʻolaha mua, hoʻopaʻa inoa nā mea hoʻouka i nā inoa inoa like me nā pūnaewele kūʻai pūnaewele kūpono. Hiki ke ʻokoʻa kā lākou kikowaena mai ka mea kūpono e kekahi ʻano a i ʻole TLD ʻē aʻe. Ua hoʻohana ʻia nā kāʻei kapu i hoʻopaʻa ʻia no ka mālama ʻana i ke code sniffer, ka loulou i hoʻokomo ʻia i loko o ke code hale kūʻai.
Ua hoʻohana pū kēia hui i nā inoa kikowaena e hoʻomanaʻo ana i nā plugins jQuery kaulana (slickjs[.]org no nā pūnaewele e hoʻohana ana i ka plugin slick.js), nā puka uku (sagecdn[.]org no nā pūnaewele e hoʻohana ana i ka ʻōnaehana uku Sage Pay).
Ma hope mai, hoʻomaka ka hui e hana i nā kāʻei kapu nona ka inoa i pili ʻole i ka waihona o ka hale kūʻai a i ʻole ke kumuhana o ka hale kūʻai.
Ua pili kēlā me kēia kikowaena i ka pūnaewele i hana ʻia ai ka papa kuhikuhi /js ai ole ia, / src. Ua mālama ʻia nā palapala Sniffer ma kēia papa kuhikuhi: hoʻokahi sniffer no kēlā me kēia maʻi hou. Ua hoʻokomo ʻia ka sniffer i loko o ke code pūnaewele ma o kahi loulou pololei, akā i nā hihia kakaʻikahi, hoʻololi nā mea hoʻouka i kekahi o nā faila o ka pūnaewele a hoʻohui i nā code ʻino iā ia.
Ka helu helu helu
Algorithm Obfuscation Mua
Ma kekahi mau la'ana sniffer o keia 'ohana, ua obfuscated ka code a ua ho'opili 'ia ka 'ikepili e pono ai ka sniffer e hana: 'o ia ho'i, ka helu wahi o ka sniffer's gate address, he papa inoa o ka uku palapala mahina, a ma kekahi mau hihia, he hoopunipuni palapala code. Ma ke code i loko o ka hana, ua hoʻopili ʻia nā kumuwaiwai me XOR e ke kī i hāʻawi ʻia ma ke ʻano he hoʻopaʻapaʻa i ka hana like.
Ma ka hoʻokaʻawale ʻana i ke kaula me ke kī pili, ʻokoʻa no kēlā me kēia laʻana, hiki iā ʻoe ke loaʻa i kahi kaula i loaʻa nā laina āpau mai ke code sniffer i hoʻokaʻawale ʻia e kahi ʻano delimiter.
ʻO ka algorithm obfuscation ʻelua
Ma hope o nā laʻana o kēia ʻohana o nā sniffers, ua hoʻohana ʻia kahi ʻano obfuscation ʻē aʻe: i kēia hihia, ua hoʻopili ʻia ka ʻikepili me ka algorithm kākau ponoʻī. Ua hoʻoholo ʻia kahi kaula i hoʻopili ʻia i ka ʻikepili i koi ʻia no ka hana ʻana o ka sniffer ma ke ʻano he hoʻopaʻapaʻa i ka hana decryption.
Me ka hoʻohana ʻana i ka console browser, hiki iā ʻoe ke hoʻokaʻawale i ka ʻikepili i hoʻopili ʻia a loaʻa i kahi ʻano i loaʻa nā kumuwaiwai sniffer.
Hoʻohui i nā hoʻouka kaua MageCart mua
Ma ka nānā ʻana i kekahi o nā kāʻei kapu i hoʻohana ʻia e ka hui ma ke ʻano he puka e hōʻiliʻili ai i ka ʻikepili i ʻaihue ʻia, ua ʻike ʻia ua kau ʻia ka ʻōnaehana no ka ʻaihue kāleka hōʻaiʻē ma kēia kahua, e like me ka mea i hoʻohana ʻia e ka hui 1, kekahi o nā hui mua.
Ua loaʻa nā faila ʻelua ma ka mea hoʻokipa o ka ʻohana sniffer CoffeMokko:
- mage.js — waihona i loaʻa i ka hui 1 sniffer code me ka helu ʻīpuka js-cdn.link
- mag.php - PHP script kuleana no ka hōʻiliʻili ʻana i ka ʻikepili i ʻaihue ʻia e ka sniffer
Nā mea i loko o ka faila mage.js
Ua hoʻoholo ʻia ua hoʻopaʻa inoa ʻia nā kikowaena mua loa i hoʻohana ʻia e ka hui ma hope o ka ʻohana sniffer CoffeMokko ma Mei 17, 2017:
- loulou-js[.]loulou
- ʻike-js[.]loulou
- track-js[.]loulou
- palapala-js[.] loulou
- loulou smart-js[.]
ʻO ke ʻano o kēia mau inoa inoa he like ia me nā inoa domain Group 1 i hoʻohana ʻia i ka hoʻouka kaua 2016.
Ma muli o nā ʻike i ʻike ʻia, hiki ke manaʻo ʻia aia kahi pilina ma waena o nā mea hoʻohana sniffer CoffeMokko a me ka hui lawehala Group 1. Malia paha, ua ʻaiʻē paha nā mea hoʻohana CoffeMokko i nā mea hana a me nā lako polokalamu e ʻaihue i nā kāleka mai ko lākou mau mua. Eia nō naʻe, ʻoi aku ka maikaʻi o ka hui hewa ma hope o ka hoʻohana ʻana i nā ʻohana sniffers CoffeMokko ka poʻe i hoʻokō i nā hoʻouka ʻana ma ke ʻano he hana o ka hui 1. Ma hope o ka hoʻolaha ʻana o ka hōʻike mua e pili ana i nā hana a ka hui lawehala, ʻo kā lākou a pau. Ua ālai ʻia nā inoa domain, a ua aʻo ʻia nā mea hana i nā kikoʻī a wehewehe ʻia. Ua koi ʻia ka hui e hoʻomaha, hoʻoponopono maikaʻi i kā lākou mau mea hana i loko a kākau hou i ke code sniffer i mea e hoʻomau ai i kā lākou hoʻouka ʻana a noho ʻole ʻia.
Kāpena
Pūnaewele | Ka lā i ʻike ʻia ai |
---|---|
loulou-js.link | 17.05.2017 |
ʻike-js.link | 17.05.2017 |
track-js.link | 17.05.2017 |
palapala-js.link | 17.05.2017 |
smart-js.link | 17.05.2017 |
adorebeauty.org | 03.09.2017 |
palekana-uku.su | 03.09.2017 |
braincdn.org | 04.09.2017 |
sagecdn.org | 04.09.2017 |
slickjs.org | 04.09.2017 |
oakandfort.org | 10.09.2017 |
citywlnery.org | 15.09.2017 |
dobell.su | 04.10.2017 |
childrensplayclothing.org | 31.10.2017 |
jewsondirect.com | 05.11.2017 |
hale kūʻai-rnib.org | 15.11.2017 |
closetlondon.org | 16.11.2017 |
misshaus.org | 28.11.2017 |
battery-force.org | 01.12.2017 |
kik-vape.org | 01.12.2017 |
greatfurnituretradingco.org | 02.12.2017 |
etradesupply.org | 04.12.2017 |
replacemyremote.org | 04.12.2017 |
all-about-sneakers.org | 05.12.2017 |
mage-checkout.org | 05.12.2017 |
nililotan.org | 07.12.2017 |
lamoodbighat.net | 08.12.2017 |
walletgear.org | 10.12.2017 |
dahlie.org | 12.12.2017 |
davidsfootwear.org | 20.12.2017 |
blackriverimaging.org | 23.12.2017 |
exrpesso.org | 02.01.2018 |
paka.su | 09.01.2018 |
pmtonline.com | 12.01.2018 |
otocap.org | 15.01.2018 |
christohperward.org | 27.01.2018 |
coffeetea.org | 31.01.2018 |
energycoffe.org | 31.01.2018 |
energytea.org | 31.01.2018 |
teacoffe.net | 31.01.2018 |
adaptivecss.org | 01.03.2018 |
coffemokko.com | 01.03.2018 |
londontea.net | 01.03.2018 |
ukcoffe.com | 01.03.2018 |
labbe.biz | 20.03.2018 |
batterynart.com | 03.04.2018 |
btosports.net | 09.04.2018 |
chicsaddlery.net | 16.04.2018 |
ukupay.org | 11.05.2018 |
ar500arnor.com | 26.05.2018 |
authorizecdn.com | 28.05.2018 |
slickmin.com | 28.05.2018 |
bannerbuzz.info | 03.06.2018 |
kandypens.net | 08.06.2018 |
mylrendyphone.com | 15.06.2018 |
freshchat.info | 01.07.2018 |
3lift.org | 02.07.2018 |
abtasty.net | 02.07.2018 |
mechat.info | 02.07.2018 |
zoplm.com | 02.07.2018 |
zapaljs.com | 02.09.2018 |
foodandcot.com | 15.09.2018 |
freshdepor.com | 15.09.2018 |
swapastore.com | 15.09.2018 |
verywellfitness.com | 15.09.2018 |
elegrina.com | 18.11.2018 |
majsurplus.com | 19.11.2018 |
top5value.com | 19.11.2018 |
Source: www.habr.com