Yuav luag txhua tus ntawm peb siv cov kev pabcuam ntawm cov khw muag khoom hauv online, uas txhais tau hais tias sai lossis tom qab peb khiav txoj kev pheej hmoo los ua tus neeg raug tsim txom los ntawm JavaScript sniffers - cov lej tshwj xeeb uas cov neeg tawm tsam siv rau hauv lub vev xaib txhawm rau nyiag cov ntaub ntawv hauv txhab nyiaj, chaw nyob, nkag mus thiab passwords ntawm cov neeg siv. .
Yuav luag 400 tus neeg siv ntawm British Airways lub vev xaib thiab daim ntawv thov mobile twb tau cuam tshuam los ntawm sniffers, nrog rau cov neeg tuaj saib lub vev xaib British ntawm cov kis las loj FILA thiab Asmeskas daim pib xa tawm Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - cov no thiab ntau lwm yam kev them nyiaj tau kis tus kab mob.
Threat Intelligence Group-IB tus kws tshuaj ntsuam Viktor Okorokov tham txog yuav ua li cas sniffers infiltrate lub vev xaib code thiab nyiag cov ntaub ntawv them nyiaj, nrog rau dab tsi CRMs lawv tawm tsam.
"Hidden hem"
Nws yog li ntawd tau tshwm sim rau lub sijhawm ntev JS sniffers tseem tsis pom ntawm cov kws tshuaj ntsuam xyuas tus kabmob, thiab cov tsev txhab nyiaj thiab cov nyiaj them poob haujlwm tsis pom lawv yog qhov kev hem thawj loj. Thiab kiag li nyob rau hauv vain. Group-IB experts
Cia peb nyob hauv kev nthuav dav ntawm plaub tsev neeg ntawm sniffers kawm thaum kawm.
ReactGet Tsev Neeg
Sniffers ntawm ReactGet tsev neeg yog siv los nyiag cov ntaub ntawv hauv txhab nyiaj ntawm cov chaw yuav khoom hauv online. Tus sniffer tuaj yeem ua haujlwm nrog ntau qhov sib txawv ntawm kev them nyiaj siv rau ntawm qhov chaw: ib qho kev ntsuas tus nqi sib raug rau ib qho kev them nyiaj, thiab tus neeg pom cov qauv ntawm tus sniffer tuaj yeem siv los nyiag daim ntawv pov thawj, nrog rau nyiag cov ntaub ntawv hauv txhab nyiaj los ntawm kev them nyiaj. cov ntaub ntawv ntawm ntau lub tshuab them nyiaj ib zaug, zoo li lub npe hu ua universal sniffer. Nws tau pom tias qee qhov xwm txheej, cov neeg tawm tsam ua phishing tawm tsam ntawm cov thawj coj hauv khw online txhawm rau nkag mus rau lub vev xaib tswj hwm vaj huam sib luag.
Ib qho kev sib tw siv tsev neeg ntawm sniffers no tau pib thaum lub Tsib Hlis 2017; cov chaw khiav CMS thiab Magento, Bigcommerce, thiab Shopify platforms raug tawm tsam.
Yuav ua li cas ReactGet yog siv rau hauv cov cai ntawm lub khw hauv online
Ntxiv rau qhov "classic" kev siv ntawm tsab ntawv los ntawm kev sib txuas, cov neeg ua haujlwm ntawm ReactGet tsev neeg ntawm sniffers siv cov txheej txheem tshwj xeeb: siv JavaScript code, lawv xyuas seb qhov chaw nyob tam sim no uas tus neeg siv nyob rau hauv raws li cov txheej txheem. Cov kab mob phem tsuas yog raug tua yog tias muaj cov kab ntawv txuas ntxiv nyob rau hauv URL tam sim no checkout los yog ib kauj ruam checkout, ib nplooj ntawv /, out/onepag, checkout/ib, ckout/ib. Yog li, sniffer code yuav raug ua raws nraim ntawm lub sijhawm thaum tus neeg siv tau them nyiaj rau kev yuav khoom thiab nkag mus rau cov ntaub ntawv them nyiaj rau hauv daim ntawv ntawm lub xaib.
Cov sniffer no siv cov txheej txheem tsis yog txheej txheem. Tus neeg raug tsim txom cov nyiaj them thiab cov ntaub ntawv tus kheej raug sau ua ke thiab siv tau puag 64, thiab tom qab ntawd cov hlua uas tau tshwm sim yog siv los ua qhov ntsuas xa mus rau cov neeg tawm tsam lub vev xaib. Feem ntau, txoj kev mus rau lub rooj vag ua raws li cov ntaub ntawv JavaScript, piv txwv li resp.js, data.js thiab lwm yam, tab sis txuas mus rau cov duab cov ntaub ntawv kuj siv, GIF и JPG. Qhov peculiarity yog tias tus sniffer tsim cov duab khoom ntsuas 1 los ntawm 1 pixel thiab siv qhov txuas tau txais yav dhau los ua qhov ntsuas. Src Duab. Ntawd yog, rau cov neeg siv xws li kev thov hauv kev khiav tsheb yuav zoo li qhov kev thov rau ib daim duab zoo tib yam. Ib txoj kev zoo sib xws tau siv hauv ImageID tsev neeg ntawm sniffers. Tsis tas li ntawd, cov txheej txheem ntawm kev siv 1 los ntawm 1 pixel duab yog siv nyob rau hauv ntau cov ntawv tshawb fawb hauv online uas raug cai, uas tuaj yeem ua rau tus neeg siv dag zog.
Version Analysis
Kev tshuaj xyuas ntawm cov haujlwm nquag siv los ntawm ReactGet sniffer cov tswv lag luam tau qhia ntau yam sib txawv ntawm tsev neeg sniffers no. Versions txawv nyob rau hauv lub xub ntiag los yog tsis muaj obfuscation, thiab nyob rau hauv tas li ntawd, txhua sniffer yog tsim los rau ib tug tshwj xeeb kev them nyiaj system uas ua cov nyiaj them rau bank card rau cov khw hauv internet. Tom qab txheeb xyuas tus nqi ntawm qhov tsis sib xws nrog tus lej version, Pawg-IB cov kws tshaj lij tau txais ib daim ntawv teev tag nrho ntawm cov sniffer variations, thiab los ntawm cov npe ntawm daim ntawv teb uas txhua tus sniffer nrhiav hauv nplooj ntawv code, lawv txheeb xyuas cov kev them nyiaj. hais tias tus sniffer yog aimed ntawm.
Cov npe ntawm cov sniffers thiab lawv cov kev them nyiaj sib raug zoo
Sniffer URL | Kev them nyiaj system |
---|---|
|
Ntawv Tso Cai.Net |
Cardsave | |
|
Ntawv Tso Cai.Net |
Ntawv Tso Cai.Net | |
|
eWAY Rapid |
Ntawv Tso Cai.Net | |
Adyen | |
|
USAePay |
Ntawv Tso Cai.Net | |
USAePay | |
|
Ntawv Tso Cai.Net |
Moneris | |
USAePay | |
PayPal | |
Sage Them | |
Verisign | |
PayPal | |
Stripe | |
|
Realex |
PayPal | |
LinkPoint | |
PayPal | |
PayPal | |
DataCash | |
|
PayPal |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
Ntawv Tso Cai.Net | |
Ntawv Tso Cai.Net | |
|
Verisign |
|
Ntawv Tso Cai.Net |
Moneris | |
|
Sage Them |
|
USAePay |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
|
ANZ eGate |
|
Ntawv Tso Cai.Net |
|
Moneris |
|
Sage Them |
Sage Them | |
|
Caum Paymentech |
|
Ntawv Tso Cai.Net |
|
Adyen |
PsiGate | |
Cyber Source | |
ANZ eGate | |
Realex | |
|
USAePay |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
|
ANZ eGate |
|
PayPal |
|
PayPal |
Realex | |
|
Sage Them |
|
PayPal |
|
Verisign |
Ntawv Tso Cai.Net | |
|
Verisign |
Ntawv Tso Cai.Net | |
|
ANZ eGate |
PayPal | |
Cyber Source | |
|
Ntawv Tso Cai.Net |
|
Sage Them |
Realex | |
|
Cyber Source |
PayPal | |
PayPal | |
|
PayPal |
|
Verisign |
|
eWAY Rapid |
|
Sage Them |
Sage Them | |
|
Verisign |
Ntawv Tso Cai.Net | |
Ntawv Tso Cai.Net | |
|
First Data Global Gateway |
Ntawv Tso Cai.Net | |
Ntawv Tso Cai.Net | |
Moneris | |
|
Ntawv Tso Cai.Net |
|
PayPal |
|
Verisign |
|
USAePay |
USAePay | |
Ntawv Tso Cai.Net | |
Verisign | |
PayPal | |
|
Ntawv Tso Cai.Net |
Stripe | |
|
Ntawv Tso Cai.Net |
eWAY Rapid | |
|
Sage Them |
Ntawv Tso Cai.Net | |
|
Hluag Luaj |
|
Hluag Luaj |
|
PayPal |
|
Sage Them |
|
Sage Them |
|
Ntawv Tso Cai.Net |
|
PayPal |
|
Ntawv Tso Cai.Net |
Verisign | |
|
PayPal |
|
Ntawv Tso Cai.Net |
|
Stripe |
|
Ntawv Tso Cai.Net |
eWAY Rapid | |
Sage Them | |
|
Ntawv Tso Cai.Net |
Hluag Luaj | |
|
PayPal |
|
Sage Them |
Sage Them | |
|
Ntawv Tso Cai.Net |
PayPal | |
Ntawv Tso Cai.Net | |
|
Verisign |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
|
Sage Them |
Sage Them | |
|
Westpac PayWay |
|
PayFort |
|
PayPal |
|
Ntawv Tso Cai.Net |
|
Stripe |
|
First Data Global Gateway |
|
PsiGate |
Ntawv Tso Cai.Net | |
Ntawv Tso Cai.Net | |
|
Moneris |
|
Ntawv Tso Cai.Net |
Sage Them | |
|
Verisign |
Moneris | |
PayPal | |
|
LinkPoint |
|
Westpac PayWay |
Ntawv Tso Cai.Net | |
|
Moneris |
|
PayPal |
Adyen | |
PayPal | |
Ntawv Tso Cai.Net | |
USAePay | |
EBizCharge | |
|
Ntawv Tso Cai.Net |
|
Verisign |
Verisign | |
Ntawv Tso Cai.Net | |
|
PayPal |
|
Moneris |
Ntawv Tso Cai.Net | |
|
PayPal |
PayPal | |
Westpac PayWay | |
Ntawv Tso Cai.Net | |
|
Ntawv Tso Cai.Net |
Sage Them | |
|
Verisign |
|
Ntawv Tso Cai.Net |
|
PayPal |
|
PayFort |
Cyber Source | |
PayPal Payflow Pro | |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
Verisign | |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
Sage Them | |
Ntawv Tso Cai.Net | |
|
Stripe |
|
Ntawv Tso Cai.Net |
Ntawv Tso Cai.Net | |
Verisign | |
|
PayPal |
Ntawv Tso Cai.Net | |
|
Ntawv Tso Cai.Net |
Sage Them | |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
|
PayPal |
|
Flint |
|
PayPal |
Sage Them | |
Verisign | |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
|
Stripe |
|
Fat Zebra |
Sage Them | |
|
Ntawv Tso Cai.Net |
First Data Global Gateway | |
|
Ntawv Tso Cai.Net |
|
eWAY Rapid |
Adyen | |
|
PayPal |
QuickBooks Kev Pabcuam Lag Luam | |
Verisign | |
|
Sage Them |
Verisign | |
|
Ntawv Tso Cai.Net |
|
Ntawv Tso Cai.Net |
Sage Them | |
|
Ntawv Tso Cai.Net |
|
eWAY Rapid |
Ntawv Tso Cai.Net | |
|
ANZ eGate |
|
PayPal |
Cyber Source | |
|
Ntawv Tso Cai.Net |
Sage Them | |
|
Realex |
Cyber Source | |
|
PayPal |
|
PayPal |
|
PayPal |
|
Verisign |
eWAY Rapid | |
|
Sage Them |
|
Sage Them |
|
Verisign |
Ntawv Tso Cai.Net | |
|
Ntawv Tso Cai.Net |
|
First Data Global Gateway |
Ntawv Tso Cai.Net | |
Ntawv Tso Cai.Net | |
|
Moneris |
|
Ntawv Tso Cai.Net |
|
PayPal |
Password sniffer
Ib qho ntawm qhov zoo ntawm JavaScript sniffers ua haujlwm ntawm tus neeg siv khoom ntawm ib lub xaib yog lawv cov kev siv ntau yam: cov lej tsis zoo hauv lub vev xaib tuaj yeem nyiag txhua yam ntaub ntawv, xws li cov ntaub ntawv them nyiaj lossis tus ID nkag mus thiab lo lus zais ntawm tus neeg siv nyiaj. Cov kws tshaj lij pab pawg-IB tau tshawb pom ib qho piv txwv ntawm tus neeg sniffer uas yog tsev neeg ReactGet, tsim los nyiag email chaw nyob thiab passwords ntawm cov neeg siv chaw.
Kev sib tshuam nrog ImageID sniffer
Thaum lub sij hawm soj ntsuam ntawm ib lub khw muag khoom muaj tus kab mob, nws tau pom tias nws qhov chaw tau kis ob zaug: ntxiv rau qhov tsis zoo ntawm ReactGet tsev neeg sniffer, code ntawm ImageID tsev neeg sniffer tau kuaj pom. Qhov kev sib tshooj no tuaj yeem ua pov thawj tias cov neeg ua haujlwm tom qab ob tus sniffers siv cov txheej txheem zoo sib xws los txhaj cov lej tsis zoo.
Universal sniffer
Kev tshuaj xyuas ntawm ib lub npe sau npe cuam tshuam nrog ReactGet sniffer infrastructure qhia tias tib tus neeg siv tau sau npe peb lwm lub npe sau npe. Peb lub npe no tau ua raws li cov npe ntawm lub vev xaib tiag tiag thiab yav dhau los siv los tuav cov sniffers. Thaum txheeb xyuas cov cai ntawm peb qhov chaw raug cai, ib qho tsis paub sniffer tau kuaj pom, thiab kev tshuaj xyuas ntxiv tau pom tias nws yog qhov kev txhim kho ntawm ReactGet sniffer. Tag nrho cov kev soj ntsuam yav dhau los ntawm tsev neeg sniffers no tau tsom mus rau ib qho kev them nyiaj ib zaug, uas yog, txhua qhov kev them nyiaj yuav tsum muaj qhov tshwj xeeb ntawm tus sniffer. Txawm li cas los xij, nyob rau hauv cov ntaub ntawv no, ib tug universal version ntawm tus sniffer tau tshawb pom uas muaj peev xwm mus nyiag cov ntaub ntawv los ntawm cov ntaub ntawv hais txog 15 txawv kev them nyiaj systems thiab modules ntawm e-commerce chaw rau kev them nyiaj online.
Yog li, thaum pib ntawm txoj haujlwm, tus neeg sniffer tau tshawb nrhiav cov ntaub ntawv yooj yim uas muaj tus neeg raug tsim txom cov ntaub ntawv tus kheej: lub npe tag nrho, chaw nyob, xov tooj.
Tus sniffer tom qab ntawd tau tshawb nrhiav ntau dua 15 qhov sib txawv ua ntej sib txawv ntawm cov kev them nyiaj sib txawv thiab cov qauv them nyiaj hauv online.
Tom ntej no, tus neeg raug tsim txom cov ntaub ntawv ntiag tug thiab cov ntaub ntawv them nyiaj raug sau ua ke thiab xa mus rau qhov chaw tswj hwm los ntawm tus neeg tawm tsam: hauv qhov tshwj xeeb no, ob lub versions ntawm universal ReactGet sniffer tau tshawb pom, nyob rau ntawm ob qhov chaw sib txawv hacked. Txawm li cas los xij, ob lub versions xa cov ntaub ntawv nyiag mus rau tib qhov chaw hacked zoobashop.com.
Kev tshuaj xyuas ntawm cov lus ua ntej uas tus sniffer siv los tshawb nrhiav cov teb uas muaj cov ntaub ntawv them nyiaj tus neeg raug tsim txom tau tso cai rau peb txiav txim siab tias tus qauv sniffer no yog tsom rau cov kev them nyiaj hauv qab no:
- Ntawv Tso Cai.Net
- Verisign
- Cov Ntaub Ntawv Thawj
- USAePay
- Stripe
- PayPal
- ANZ eGate
- Hluag Luaj
- DataCash (MasterCard)
- Kev Them Nyiaj Realex
- PsiGate
- Heartland Payment Systems
Cov cuab yeej twg siv los nyiag cov ntaub ntawv them nyiaj?
Thawj cov cuab yeej, nrhiav pom thaum lub sij hawm kev soj ntsuam ntawm cov neeg tawm tsam 'txoj kev tsim kho, yog siv los ua kom pom cov ntawv tsis zoo lub luag haujlwm rau tub sab nyiag ntawm cov npav hauv txhab nyiaj. Ib tsab ntawv bash siv qhov project's CLI tau tshawb pom ntawm ib tus neeg tawm tsam tus tswv
Qhov thib ob nrhiav tau lub cuab tam yog tsim los tsim cov code lub luag hauj lwm rau loading lub ntsiab sniffer. Cov cuab yeej no tsim cov cai JavaScript uas kuaj xyuas seb tus neeg siv puas nyob ntawm nplooj ntawv them nyiaj los ntawm kev tshawb nrhiav tus neeg siv qhov chaw nyob tam sim no rau cov hlua checkout, lub tawb nqa khoom thiab yog li ntawd, thiab yog tias qhov tshwm sim zoo, ces tus lej thauj khoom tseem ceeb sniffer los ntawm tus neeg tua neeg lub server. Txhawm rau zais kev ua phem, txhua kab, suav nrog cov kab xeem rau kev txiav txim siab nplooj ntawv them nyiaj, nrog rau qhov txuas mus rau tus sniffer, yog encoded siv puag 64.
Phishing tawm tsam
Kev soj ntsuam ntawm cov neeg tawm tsam 'kev tsim kho network tau qhia tias pawg neeg ua phem feem ntau siv phishing kom tau txais kev nkag mus rau pawg tswj hwm ntawm lub hom phiaj hauv khw online. Cov neeg tawm tsam sau npe rau npe uas pom zoo ib yam li lub khw muag khoom sau npe, thiab tom qab ntawd xa daim foos cuav Magento tswj hwm vaj huam sib luag rau ntawm nws. Yog tias ua tiav, cov neeg tawm tsam yuav nkag mus rau pawg thawj coj saib xyuas ntawm Magento CMS, uas muab sijhawm rau lawv los hloov kho lub vev xaib thiab siv cov sniffer los nyiag cov ntaub ntawv credit card.
Infrastructure
Sau npe | Hnub tim ntawm kev tshawb pom / tshwm sim |
---|---|
mediapack.info | 04.05.2017 |
adsgetapi.com ua | 15.06.2017 |
simcounter.com | 14.08.2017 |
mageanalytics.com | 22.12.2017 |
maxstatics.com | 16.01.2018 |
reactjsapi.com | 19.01.2018 |
mxcounter.com ua | 02.02.2018 |
apitstatus.com | 01.03.2018 |
orderracker.com | 20.04.2018 |
tagstracking.com | 25.06.2018 |
adsapigate.com | 12.07.2018 |
trust-tracker.com | 15.07.2018 |
fbstatspartner.com | 02.10.2018 |
billgetstatus.com | 12.10.2018 |
www.aldenmlilhouse.com | 20.10.2018 |
balletbeautlful.com ua | 20.10.2018 |
bargalnjunkie.com | 20.10.2018 |
payselector.com | 21.10.2018 |
tagsmediaget.com | 02.11.2018 |
hs-payments.com | 16.11.2018 |
ordercheckpays.com | 19.11.2018 |
geisseie.com ua | 24.11.2018 |
gtmproc.com ua | 29.11.2018 |
livegetpay.com | 18.12.2018 |
sydneysalonsupplies.com | 18.12.2018 |
newrelicnet.com | 19.12.2018 |
nr-public.com | 03.01.2019 |
cloudodesc.com | 04.01.2019 |
ajaxstatic.com | 11.01.2019 |
livecheckpay.com | 21.01.2019 |
asianfoodgracer.com | 25.01.2019 |
G-Analytics Tsev Neeg
Tsev neeg ntawm sniffers no yog siv los nyiag cov neeg siv daim npav los ntawm cov khw hauv online. Thawj thawj lub npe siv los ntawm pab pawg tau sau npe rau lub Plaub Hlis 2016, uas tuaj yeem qhia tau tias pab pawg tau pib ua haujlwm hauv nruab nrab xyoo 2016.
Hauv kev sib tw tam sim no, pab pawg siv cov npe sau npe uas ua raws li cov kev pabcuam hauv lub neej, xws li Google Analytics thiab jQuery, npog cov haujlwm ntawm sniffers nrog cov ntawv sau raug cai thiab cov npe sau npe zoo ib yam li cov neeg raug cai. Cov chaw khiav Magento CMS raug tawm tsam.
Yuav ua li cas G-Analytics yog siv rau hauv cov cai ntawm lub khw hauv online
Ib qho tshwj xeeb ntawm tsev neeg no yog siv ntau txoj hauv kev los nyiag neeg siv cov ntaub ntawv them nyiaj. Ntxiv rau qhov kev txhaj tshuaj classic ntawm JavaScript code rau hauv cov neeg siv khoom ntawm lub xaib, pawg neeg ua phem kuj tau siv cov txheej txheem txhaj tshuaj rau hauv server sab ntawm lub xaib, uas yog PHP scripts uas ua cov ntaub ntawv nkag mus rau cov neeg siv. Cov txheej txheem no yog qhov txaus ntshai vim tias nws ua rau nws nyuaj rau cov kws tshawb fawb thib peb los kuaj xyuas cov lej tsis zoo. Cov kws tshaj lij pab pawg-IB tau tshawb pom ib tus qauv ntawm tus sniffer embedded nyob rau hauv lub site PHP code, siv ib tug sau raws li lub rooj vag dab.org.
Ib qho piv txwv thaum ntxov ntawm tus sniffer kuj tau pom uas siv tib lub npe los sau cov ntaub ntawv raug nyiag dab.org, tab sis qhov no version yog npaj rau kev teeb tsa ntawm tus neeg siv khoom ntawm lub khw hauv online.
Cov pab pawg tom qab tau hloov nws cov kev tawm tsam thiab pib tsom mus rau kev zais kev ua phem thiab kev zais.
Thaum pib ntawm 2017, pab pawg tau pib siv lub npe jquery-js.com, masquerading li CDN rau jQuery: thaum mus rau qhov chaw ntawm cov neeg tawm tsam, tus neeg siv raug xa mus rau qhov chaw raug cai jquery.com.
Thiab nyob rau hauv nruab nrab-2018, pawg tau txais lub npe sau npe g-analytics.com ua thiab pib zais cov sniffer cov dej num raws li kev pabcuam Google Analytics raug cai.
Version Analysis
Thaum lub sij hawm soj ntsuam ntawm cov thawj siv los khaws cov sniffer code, nws tau pom tias qhov chaw muaj ntau tus versions, uas txawv nyob rau hauv lub xub ntiag ntawm obfuscation, raws li zoo raws li lub xub ntiag los yog tsis muaj unreachable code ntxiv rau cov ntaub ntawv los cuam tshuam cov xim. thiab nkaum qhov phem code.
Tag nrho ntawm lub xaib jquery-js.com Rau qhov versions ntawm sniffers tau txheeb xyuas. Cov sniffers no xa cov ntaub ntawv raug nyiag mus rau qhov chaw nyob ntawm tib lub vev xaib raws li tus sniffer nws tus kheej: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Tom qab ntawv g-analytics.com ua, siv los ntawm pab pawg hauv kev tawm tsam txij li nruab nrab xyoo 2018, ua lub chaw cia rau ntau tus neeg sniffers. Nyob rau hauv tag nrho, 16 txawv versions ntawm tus sniffer tau pom. Nyob rau hauv cov ntaub ntawv no, lub rooj vag rau xa cov ntaub ntawv raug nyiag lawm disguised raws li ib tug txuas mus rau ib tug duab hom GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Monetization ntawm cov ntaub ntawv raug nyiag lawm
Cov pab pawg neeg txhaum cai tau txais cov ntaub ntawv raug nyiag los ntawm kev muag daim npav los ntawm lub khw tshwj xeeb tsim hauv av uas muab kev pabcuam rau cov npav. Kev tshuaj xyuas ntawm cov npe siv los ntawm cov neeg tawm tsam tso cai rau peb txiav txim siab qhov ntawd google-analytics.cm ua tau sau npe los ntawm tib tus neeg siv raws li lub npe xas vc. Domain xas vc yog hais txog lub khw muag khoom nyiag nyiaj hauv txhab nyiaj Cardsurfs (Flysurfs), uas tau txais koob meej rov qab rau hnub ntawm kev ua haujlwm ntawm kev lag luam hauv av AlphaBay raws li lub khw muag nyiaj hauv tuam txhab nyiaj nyiag khoom siv sniffer.
Kev tshuaj xyuas lub domain analytical.is, nyob rau ntawm tib lub server raws li cov npe siv los ntawm sniffers los sau cov ntaub ntawv raug nyiag, Pab Pawg-IB cov kws tshaj lij tau tshawb pom cov ntaub ntawv uas muaj cov ncuav qab zib stealer cav, uas zoo li tom qab tso tseg los ntawm tus tsim tawm. Ib qho ntawm cov kev nkag hauv lub cav muaj ib lub npe iozoz.com ua, uas yav tas los siv nyob rau hauv ib qho ntawm cov sniffers nquag siv xyoo 2016. Piv txwv li, lub npe no yav dhau los siv los ntawm tus neeg tawm tsam los sau cov ntawv nyiag uas siv tus sniffer. Qhov no sau npe rau ib qho email chaw nyob [email tiv thaiv], uas kuj tau siv los sau npe sau npe cardz ua и xas vc, muaj feem xyuam rau lub khw carding Cardsurfs.
Raws li cov ntaub ntawv tau txais, nws tuaj yeem xav tias G-Analytics tsev neeg ntawm sniffers thiab cov khw muag khoom hauv av muag cov npav hauv txhab nyiaj Cardsurfs tau tswj hwm los ntawm tib neeg, thiab lub khw muag khoom siv los muag cov npav hauv txhab nyiaj raug nyiag siv tus sniffer.
Infrastructure
Sau npe | Hnub tim ntawm kev tshawb pom / tshwm sim |
---|---|
iozoz.com ua | 08.04.2016 |
dab.org | 10.09.2016 |
jquery-js.com | 02.01.2017 |
g-analytics.com ua | 31.05.2018 |
google-analytics.is | 21.11.2018 |
analytical.to | 04.12.2018 |
google-analytics.to | 06.12.2018 |
google-analytics.cm ua | 28.12.2018 |
analytical.is | 28.12.2018 |
ntawm googlc-analytics.cm | 17.01.2019 |
Tsev neeg Illum
Illum yog ib tsev neeg ntawm sniffers siv los tua cov khw muag khoom online khiav Magento CMS. Ntxiv nrog rau kev qhia txog cov cai tsis zoo, cov neeg ua haujlwm ntawm tus sniffer no tseem siv cov kev taw qhia ntawm cov ntawv them nyiaj tsis txaus siab uas xa cov ntaub ntawv mus rau lub rooj vag tswj los ntawm cov neeg tawm tsam.
Thaum txheeb xyuas lub network infrastructure siv los ntawm cov neeg ua haujlwm ntawm cov sniffer no, ntau cov ntawv tsis zoo, kev siv dag zog, cov ntawv them nyiaj cuav, nrog rau cov piv txwv nrog cov sniffers siab phem los ntawm cov neeg sib tw. Raws li cov ntaub ntawv hais txog cov hnub tshwm sim ntawm cov npe sau npe siv los ntawm pab pawg, nws tuaj yeem xav tias kev sib tw pib thaum kawg ntawm 2016.
Yuav ua li cas Illum yog siv rau hauv cov cai ntawm lub khw hauv online
Thawj versions ntawm tus sniffer pom tau embedded ncaj qha mus rau hauv tus lej ntawm qhov chaw cuam tshuam. Cov ntaub ntawv raug nyiag raug xa mus rau cdn.illum[.]pw/records.php, lub rooj vag tau encoded siv puag 64.
Tom qab ntawd, ib lub hnab ntim ntawm cov sniffer tau pom uas siv lub rooj vag sib txawv - records.nstatistics[.]com/records.php.
Raws li
Kev tshuaj xyuas ntawm cov neeg tawm tsam lub vev xaib
Cov kws tshaj lij pab pawg-IB tau tshawb pom thiab tshuaj xyuas lub vev xaib siv los ntawm pawg neeg ua phem no los khaws cov cuab yeej thiab sau cov ntaub ntawv raug nyiag.
Ntawm cov cuab yeej pom ntawm cov neeg tawm tsam cov neeg rau zaub mov yog cov ntawv sau thiab siv rau kev nce cov cai hauv Linux OS: piv txwv li, Linux Privilege Escalation Check Script tsim los ntawm Mike Czumak, nrog rau kev siv rau CVE-2009-1185.
Cov neeg tawm tsam tau siv ob qhov kev siv ncaj qha los tua cov khw hauv online:
Tsis tas li ntawd, thaum lub sij hawm soj ntsuam ntawm tus neeg rau zaub mov, ntau yam qauv ntawm sniffers thiab cov ntaub ntawv them nyiaj cuav raug tshawb pom, siv los ntawm cov neeg tawm tsam los sau cov ntaub ntawv them nyiaj los ntawm qhov chaw hacked. Raws li koj tuaj yeem pom los ntawm cov npe hauv qab no, qee cov ntawv sau tau tsim ib tus zuj zus rau txhua qhov chaw hacked, thaum muaj kev daws teeb meem thoob ntiaj teb tau siv rau qee qhov CMS thiab lub qhov rooj them nyiaj. Piv txwv li, scripts segapay_standart.js и segapay_onpage.js tsim los siv rau ntawm qhov chaw siv Sage Pay lub rooj vag them nyiaj.
Daim ntawv teev cov ntawv sau rau ntau qhov chaw them nyiaj
Tsab ntawv | Kev them nyiaj qhov rooj |
---|---|
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//cdn.illum[.]pw/records.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//cdn.illum[.]pw/records.php |
//payrightnow[.]cf/?payment= | |
|
//payrightnow[.]cf/?payment= |
|
//paymentnow[.]tk/?payment= |
Tug Tswv paynow[.]tk, siv raws li lub rooj vag hauv ib tsab ntawv Payment_forminsite.js, twb nrhiav tau li subjectAltName hauv ntau daim ntawv pov thawj ntsig txog CloudFlare kev pabcuam. Tsis tas li ntawd, tus tswv tsev muaj ib tsab ntawv phem.js. Kev txiav txim los ntawm lub npe ntawm tsab ntawv, nws tuaj yeem siv los ua ib feem ntawm kev siv CVE-2016-4010, ua tsaug uas nws muaj peev xwm txhaj cov lej tsis zoo rau hauv qab ntawm qhov chaw khiav CMS Magento. Tus tswv tsev siv tsab ntawv no ua lub rooj vag thov.requestnet[.]tksiv tib daim ntawv pov thawj raws li tus tswv tsev paynow[.]tk.
Cov ntawv them nyiaj cuav
Daim duab hauv qab no qhia txog qhov piv txwv ntawm ib daim ntawv rau kev nkag mus rau daim npav cov ntaub ntawv. Daim ntawv no tau siv los nkag rau hauv lub khw hauv online thiab nyiag cov ntaub ntawv daim npav.
Cov duab hauv qab no qhia txog qhov piv txwv ntawm daim foos them nyiaj PayPal cuav uas tau siv los ntawm cov neeg tawm tsam kom nkag mus rau qhov chaw nrog txoj kev them nyiaj no.
Infrastructure
Sau npe | Hnub tim ntawm kev tshawb pom / tshwm sim |
---|---|
cdn.illum pw | 27/11/2016 |
records.nstatistics.com | 06/09/2018 |
thov.payrightnow.cf | 25/05/2018 |
paynow.tk | 16/07/2017 |
kev them nyiaj-line.tk | 01/03/2018 |
paypal.cf | 04/09/2017 |
thov net.tk | 28/06/2017 |
CoffeeMokko tsev neeg
CoffeMokko tsev neeg ntawm sniffers, tsim los nyiag daim npav rho nyiaj los ntawm cov neeg siv khoom hauv online, tau siv txij li lub Tsib Hlis 2017. Piv txwv li, cov neeg ua haujlwm ntawm tsev neeg sniffers no yog pawg neeg ua phem pawg 1, piav qhia los ntawm RiskIQ cov kws tshaj lij hauv xyoo 2016. Cov chaw khiav CMSs xws li Magento, OpenCart, WordPress, osCommerce, thiab Shopify tau tawm tsam.
Yuav ua li cas CoffeMokko yog siv rau hauv cov cai ntawm lub khw hauv online
Cov neeg khiav dej num ntawm tsev neeg no tsim cov sniffers tshwj xeeb rau txhua tus kab mob: cov ntaub ntawv sniffer nyob hauv phau ntawv teev npe Src los yog js nyob rau ntawm attackers 'server. Kev koom ua ke rau hauv lub vev xaib code yog ua los ntawm kev sib txuas ncaj qha rau tus sniffer.
Lub sniffer code hardcodes cov npe ntawm daim ntawv teb los ntawm cov ntaub ntawv yuav tsum tau nyiag. Tus sniffer kuj xyuas seb tus neeg siv puas nyob ntawm nplooj ntawv them nyiaj los ntawm kev txheeb xyuas cov npe ntawm cov ntsiab lus nrog tus neeg siv qhov chaw nyob tam sim no.
Qee qhov kev tshawb pom ntawm tus sniffer tau obfuscated thiab muaj ib txoj hlua encrypted nyob rau hauv uas lub ntsiab array ntawm cov kev pab cuam tau khaws cia: nws muaj cov npe ntawm daim ntawv teb rau ntau yam kev them nyiaj systems, raws li zoo raws li lub rooj vag chaw nyob uas cov ntaub ntawv raug nyiag yuav tsum raug xa.
Cov ntaub ntawv them nyiaj raug nyiag raug xa mus rau ib tsab ntawv ntawm tus neeg tawm tsam tus neeg rau zaub mov raws txoj kev /savePayment/index.php lossis /tr/index.php. Piv txwv li, tsab ntawv no yog siv los xa cov ntaub ntawv los ntawm lub rooj vag mus rau lub server tseem ceeb, uas sib sau cov ntaub ntawv los ntawm txhua tus sniffers. Txhawm rau zais cov ntaub ntawv xa mus, tag nrho cov ntaub ntawv them nyiaj ntawm tus neeg raug tsim txom yog encrypted siv puag 64, thiab tom qab ntawd ntau qhov kev hloov pauv tus cwj pwm tshwm sim:
- tus cim "e" yog hloov nrog ":"
- lub cim "w" yog hloov nrog "+"
- tus cim "o" yog hloov nrog "%"
- tus cim "d" yog hloov nrog "#"
- tus cim "a" yog hloov nrog "-"
- lub cim "7" yog hloov nrog "^"
- tus cim "h" yog hloov nrog "_"
- lub cim "T" yog hloov nrog "@"
- tus cim "0" yog hloov los ntawm "/"
- tus cim "Y" yog hloov nrog "*"
Raws li qhov tshwm sim ntawm cov cim hloov pauv encoded siv puag 64 Cov ntaub ntawv tsis tuaj yeem txiav txim siab yam tsis ua qhov rov qab hloov dua siab tshiab.
Qhov no yog dab tsi ib feem ntawm sniffer code uas tsis tau obfuscated zoo li:
Infrastructure Analysis
Hauv kev sib tw thaum ntxov, cov neeg tawm tsam sau npe sau npe zoo ib yam li cov chaw yuav khoom hauv online raug cai. Lawv lub npe tuaj yeem txawv ntawm qhov raug cai los ntawm ib lub cim lossis lwm TLD. Cov npe sau npe tau siv los khaws cov sniffer code, ib qho txuas rau uas tau muab tso rau hauv lub khw code.
Cov pab pawg no kuj siv cov npe sau npe uas zoo li cov npe nrov jQuery plugins (slickjs[.]org rau qhov chaw siv lub plugin lus.js), them nyiaj gateways (sagecdn[.]org rau cov chaw siv Sage Pay them nyiaj system).
Tom qab ntawd, pab pawg pib tsim cov npe uas nws cov npe tsis muaj dab tsi cuam tshuam nrog lub khw muag khoom lossis lub ntsiab lus ntawm lub khw.
Txhua tus sau sib raug mus rau ib qhov chaw uas cov npe tau tsim /js los yog / ua src. Sniffer scripts tau muab khaws cia rau hauv phau ntawv no: ib tus sniffer rau txhua tus kab mob tshiab. Tus sniffer tau muab tso rau hauv lub vev xaib code los ntawm kev sib txuas ncaj qha, tab sis tsis tshua muaj, cov neeg tawm tsam tau hloov kho ib qho ntawm cov ntaub ntawv lub vev xaib thiab ntxiv cov lej tsis zoo rau nws.
Code Analysis
Thawj obfuscation algorithm
Hauv qee qhov kev tshawb pom ntawm cov sniffers ntawm tsev neeg no, cov cai tau ua rau obfuscated thiab muaj cov ntaub ntawv encrypted tsim nyog rau tus sniffer ua hauj lwm: tshwj xeeb tshaj yog, qhov chaw nyob qhov rooj sniffer, ib daim ntawv teev npe ntawm daim ntawv them nqi teb, thiab nyob rau hauv tej rooj plaub, tus code ntawm ib tug fake. daim ntawv them nyiaj. Hauv cov cai hauv cov haujlwm, cov peev txheej tau encrypted siv XOR los ntawm tus yuam sij uas tau dhau los ua kev sib cav rau tib txoj haujlwm.
Los ntawm kev decrypting txoj hlua nrog tus yuam sij tsim nyog, tshwj xeeb rau txhua tus qauv, koj tuaj yeem tau txais ib txoj hlua uas muaj tag nrho cov hlua los ntawm sniffer code cais los ntawm cov cim cais.
Thib ob obfuscation algorithm
Hauv cov qauv tom qab ntawm sniffers ntawm tsev neeg no, ib qho kev sib txawv obfuscation tau siv: nyob rau hauv cov ntaub ntawv no, cov ntaub ntawv tau encrypted siv tus kheej-sau algorithm. Ib txoj hlua uas muaj cov ntaub ntawv encrypted tsim nyog rau tus sniffer ua haujlwm tau dhau los ua ib qho kev sib cav rau lub decryption muaj nuj nqi.
Siv lub browser console, koj tuaj yeem txiav txim siab cov ntaub ntawv encrypted thiab tau txais ib qho array uas muaj cov khoom siv sniffer.
Kev sib txuas rau MageCart thaum ntxov
Thaum lub sij hawm soj ntsuam ntawm ib qho ntawm cov thawj coj siv los ntawm pab pawg ua lub rooj vag los khaws cov ntaub ntawv raug nyiag, nws tau pom tias qhov chaw no tau tuav ib qho kev tsim kho rau credit card tub sab, zoo ib yam li siv los ntawm Pawg 1, ib pawg thawj coj,
Ob cov ntaub ntawv tau pom ntawm tus tswv tsev ntawm CoffeMokko tsev neeg ntawm sniffers:
- mav.js - cov ntaub ntawv uas muaj Pawg 1 sniffer code nrog lub rooj vag chaw nyob js-cdn.link
- mav.php - PHP tsab ntawv lub luag haujlwm rau kev sau cov ntaub ntawv raug nyiag los ntawm tus sniffer
Cov ntsiab lus ntawm cov ntaub ntawv mage.js
Nws kuj tau txiav txim siab tias cov thawj thawj zaug siv los ntawm cov pab pawg tom qab CoffeMokko tsev neeg ntawm sniffers tau sau npe rau lub Tsib Hlis 17, 2017:
- link-js[.]link
- info-js[.]link
- track-js[.]link
- map-js[.]link
- smart-js[.]link
Cov hom ntawv ntawm cov npe sau npe no sib phim rau Pawg 1 cov npe sau npe uas tau siv hauv 2016 tawm tsam.
Raws li qhov tseeb pom, nws tuaj yeem xav tias muaj kev sib txuas ntawm cov neeg ua haujlwm ntawm CoffeMokko sniffers thiab pawg neeg ua phem 1. Piv txwv li, CoffeMokko cov tswv lag luam tuaj yeem qiv cov cuab yeej thiab software los ntawm lawv cov thawj coj los nyiag daim npav. Txawm li cas los xij, nws muaj peev xwm ntau dua tias pawg neeg ua phem tom qab siv CoffeMokko tsev neeg ntawm sniffers yog tib cov neeg uas tau ua rau Pawg 1 tawm tsam. thaiv thiab cov cuab yeej tau kawm kom ntxaws thiab piav qhia. Cov pab pawg raug yuam kom so, kho nws cov cuab yeej sab hauv thiab rov sau dua sniffer code txhawm rau txhawm rau txuas ntxiv nws cov kev tawm tsam thiab tseem tsis tau txheeb xyuas.
Infrastructure
Sau npe | Hnub tim ntawm kev tshawb pom / tshwm sim |
---|---|
link-js.link | 17.05.2017 |
info-js.link | 17.05.2017 |
track-js.link | 17.05.2017 |
map-js.link | 17.05.2017 |
ntse-js.link | 17.05.2017 |
adorebeauty.org | 03.09.2017 |
kev ruaj ntseg-payment.su | 03.09.2017 |
braincdn.org | 04.09.2017 |
sagecdn.org | 04.09.2017 |
ib slickjs.org | 04.09.2017 |
ntawm oakandfort.org | 10.09.2017 |
citywlnery.org | 15.09.2017 |
dobell.su | 04.10.2017 |
Childrensplayclothing.org | 31.10.2017 |
jewsondirect.com | 05.11.2017 |
shop-rnib.org | 15.11.2017 |
closetlondon.org | 16.11.2017 |
misshaus.org | 28.11.2017 |
roj teeb-force.org | 01.12.2017 |
kik-vape.org | 01.12.2017 |
greatfurnituretradingco.org | 02.12.2017 |
etradesupply.org | 04.12.2017 |
replacemyremote.org | 04.12.2017 |
all-about-sneakers.org | 05.12.2017 |
mage-checkout.org | 05.12.2017 |
ib nililotan.org | 07.12.2017 |
lamodbighat.net | 08.12.2017 |
walletgear.org | 10.12.2017 |
dahlie.org | 12.12.2017 |
davidsfootwear.org | 20.12.2017 |
blackriverimaging.org | 23.12.2017 |
exrpesso.org | 02.01.2018 |
parks.su | 09.01.2018 |
pmtonline.su | 12.01.2018 |
yog otocap.org | 15.01.2018 |
christohperward.org | 27.01.2018 |
coffetea.org | 31.01.2018 |
energycoffe.org | 31.01.2018 |
energytea.org | 31.01.2018 |
teacoffe.net | 31.01.2018 |
adaptivecss.org | 01.03.2018 |
coffemokko.com | 01.03.2018 |
londontea.net | 01.03.2018 |
ukcoffe.com ua | 01.03.2018 |
labbe.biz | 20.03.2018 |
Batterynart.com | 03.04.2018 |
btosports.net | 09.04.2018 |
chicksaddlery.net | 16.04.2018 |
paypay.org | 11.05.2018 |
ar500arnor.com ua | 26.05.2018 |
authorizecdn.com | 28.05.2018 |
yog slickmin.com | 28.05.2018 |
bannerbuzz.info | 03.06.2018 |
kandypens.net | 08.06.2018 |
mylrendyphone.com | 15.06.2018 |
freshchat.info | 01.07.2018 |
3 lift.org | 02.07.2018 |
abtasty.net | 02.07.2018 |
mechat.info | 02.07.2018 |
zom.com | 02.07.2018 |
zapaljs.com | 02.09.2018 |
foodandcot.com | 15.09.2018 |
freshdepor.com | 15.09.2018 |
swappastore.com | 15.09.2018 |
verywellfitnesse.com | 15.09.2018 |
elegrina.com | 18.11.2018 |
majsurplus.com | 19.11.2018 |
top5value.com | 19.11.2018 |
Tau qhov twg los: www.hab.com