Ihe fọrọ nke nta ka ọ bụrụ onye ọ bụla n'ime anyị na-eji ọrụ nke ụlọ ahịa dị n'ịntanetị, nke pụtara na n'oge na-adịghị anya, anyị na-agba ọsọ n'ihe ize ndụ nke ịghọ onye na-agba ọsọ JavaScript sniffers - koodu pụrụ iche nke ndị na-awakpo na-agbanye n'ime ebe nrụọrụ weebụ iji zuru data kaadị akụ, adreesị, aha njirimara na okwuntughe. .
Ihe fọrọ nke nta ka ọ bụrụ ndị ọrụ 400 nke British Airways webụsaịtị na ngwa mkpanaka emetụtalarị ndị sniffers, yana ndị ọbịa na webụsaịtị FILA nnukwu egwuregwu Britain na onye na-ekesa tiketi US Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - ndị a na ọtụtụ usoro ịkwụ ụgwọ ndị ọzọ ebutela ọrịa.
Onye nyocha egwu Intelligence Group-IB Viktor Okorokov na-ekwu maka otu ndị sniffers si abanye koodu webụsaịtị wee zuo ozi ịkwụ ụgwọ, yana CRM ndị ha na-awakpo.
"ihe iyi egwu zoro ezo"
O mere na ruo ogologo oge JS-sniffers nọgidere n'anya ndị nyocha nje virus, na ụlọ akụ na usoro ịkwụ ụgwọ anaghị ahụ ha dị ka ihe egwu dị egwu. Na nnọọ n'efu. Ndị ọkachamara otu-IB Ụlọ ahịa dị n'ịntanetị 2440 butere ọrịa, ndị ọbịa ya - ihe dị ka nde mmadụ 1,5 kwa ụbọchị - nọ n'ihe ize ndụ nke imebi. N'ime ndị ahụ metụtara abụghị naanị ndị ọrụ, kamakwa ụlọ ahịa dị n'ịntanetị, usoro ịkwụ ụgwọ na ụlọ akụ ndị nyere kaadị ndị mebiri emebi.
Group-IB ghọrọ ọmụmụ izizi nke ahịa darknet nke sniffers, akụrụngwa ha na ụzọ ha si enweta ego, na-ewetara ndị okike ha ọtụtụ nde dollar. Anyị chọpụtara ezinụlọ 38 sniffer, nke naanị 12 n'ime ha bụ ndị nchọpụta mara na mbụ.
Ka anyị leba anya n'ụzọ zuru ezu na ezinụlọ anọ nke sniffers a mụrụ n'oge ọmụmụ ihe.
ReactGet ezinụlọ
A na-eji ndị sniffer nke ezinụlọ ReactGet zuru data kaadị akụ na saịtị ịzụ ahịa n'ịntanetị. The sniffer nwere ike na-arụ ọrụ na a ọnụ ọgụgụ buru ibu nke dị iche iche ugwo usoro eji na saịtị: otu paramita uru kwekọrọ na otu usoro ugwo, na onye achọpụtara nsụgharị nke sniffer nwere ike iji zuru nzere, nakwa dị ka izu ohi kaadị data site na ụlọ akụ. Ụdị ịkwụ ụgwọ nke ọtụtụ usoro ịkwụ ụgwọ n'otu oge, dị ka ihe a na-akpọ sniffer eluigwe na ala. Achọpụtara na n'ọnọdụ ụfọdụ, ndị na-awakpo na-ebuso ndị na-ahụ maka ụlọ ahịa dị n'ịntanetị ọgụ phishing ka ha wee banye na ngalaba nhazi saịtị ahụ.
Mgbasa ozi na-eji ezinụlọ a nke sniffers malitere na Mee 2017. A wakporo saịtị na-agba ọsọ CMS na nyiwe Magento, Bigcommerce, Shopify.
Kedu ka esi agbakwunyere ReactGet na koodu ụlọ ahịa dị n'ịntanetị
Na mgbakwunye na ntinye ederede "kpochapụwo" site na njikọ, ndị na-ahụ maka ezinụlọ ReactGet na-eji usoro pụrụ iche: na-eji koodu Javascript, ọ na-enyocha ma adreesị ugbu a ebe onye ọrụ dị na-ezute ụfọdụ njirisi. Koodu ọjọọ ahụ ga-agba naanị ma ọ bụrụ na URL dị ugbu a nwere obere eriri lelee ma ọ bụ otu nzọụkwụ lelee, otu ibe/, pụọ/onepag, nlele/otu, ckout/otu. Ya mere, a ga-egbu koodu sniffer kpọmkwem n'oge onye ọrụ na-akwụ ụgwọ maka ịzụrụ ma tinye ozi nkwụnye ụgwọ n'ime ụdị na saịtị ahụ.
Nke a sniffer na-eji usoro na-abụghị ọkọlọtọ. A na-anakọta ugwo na data nkeonwe nke onye ihe metụtara ọnụ, tinye koodu site na iji ndabere 64, na mgbe ahụ, a na-eji eriri na-esi na ya pụta dị ka parameter iji zipu arịrịọ na saịtị ọjọọ ahụ. Ọtụtụ mgbe, ụzọ nke ọnụ ụzọ ámá na-eṅomi faịlụ JavaScript, dịka ọmụmaatụ resp.js, data.js na ihe ndị ọzọ, mana a na-ejikwa njikọ faịlụ onyonyo, GIF и JPG. Ihe dị iche bụ na sniffer na-emepụta ihe oyiyi nwere nha 1 site na 1 pikselụ ma jiri njikọ enwetara na mbụ dị ka paramita. src Onyonyo. Nke ahụ bụ, maka onye ọrụ, arịrịọ dị otú ahụ na okporo ụzọ ga-adị ka arịrịọ maka foto mgbe niile. A na-eji usoro yiri nke ahụ mee ihe na ezinụlọ ImageID nke sniffers. Na mgbakwunye, a na-eji usoro onyonyo 1x1 pikselụ n'ọtụtụ edemede nyocha ịntanetị ziri ezi, nke nwekwara ike duhie onye ọrụ.
Nyocha ụdị
Nyocha nke ngalaba ndị na-arụ ọrụ nke ndị na-arụ ọrụ sniffer ReactGet na-eji kpughere ọtụtụ ụdị dị iche iche nke ezinụlọ nke sniffer a. Ụdị dị iche na ọnụnọ ma ọ bụ na-anọghị nke obfuscation, na mgbakwunye, onye ọ bụla sniffer emebere maka otu usoro ịkwụ ụgwọ nke na-ahazi ịkwụ ụgwọ kaadị akụ maka ụlọ ahịa dị n'ịntanetị. Mgbe hachara uru nke paramita kwekọrọ na nọmba mbipute ahụ, ndị ọkachamara Group-IB nwetara ndepụta zuru oke nke ụdị dị iche iche nke sniffer dị, yana site na aha ụdị mpempe akwụkwọ nke onye ọ bụla sniffer na-achọ na koodu ibe, ha kpebiri usoro ịkwụ ụgwọ. na sniffer zaa.
Ndepụta nke sniffers na usoro ịkwụ ụgwọ ha kwekọrọ
| URL Sniffer | Usoro ugwo |
|---|---|
| Onye nyere ikike.Net | |
| Nchekwa kaadị | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| eWAY ngwa ngwa | |
| Onye nyere ikike.Net | |
| Adyen | |
| USAePay | |
| Onye nyere ikike.Net | |
| USAePay | |
| Onye nyere ikike.Net | |
| Moneris | |
| USAePay | |
| PayPal | |
| SagePay | |
| Verisign | |
| PayPal | |
| straipu | |
| Realex | |
| PayPal | |
| LinkPoint | |
| PayPal | |
| PayPal | |
| ego data | |
| PayPal | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Verisign | |
| Onye nyere ikike.Net | |
| Moneris | |
| SagePay | |
| USAePay | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| ANZ eGate | |
| Onye nyere ikike.Net | |
| Moneris | |
| SagePay | |
| SagePay | |
| Chase Paymentech | |
| Onye nyere ikike.Net | |
| Adyen | |
| PsiGate | |
| Isi iyi nke Cyber | |
| ANZ eGate | |
| Realex | |
| USAePay | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| ANZ eGate | |
| PayPal | |
| PayPal | |
| Realex | |
| SagePay | |
| PayPal | |
| Verisign | |
| Onye nyere ikike.Net | |
| Verisign | |
| Onye nyere ikike.Net | |
| ANZ eGate | |
| PayPal | |
| Isi iyi nke Cyber | |
| Onye nyere ikike.Net | |
| SagePay | |
| Realex | |
| Isi iyi nke Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY ngwa ngwa | |
| SagePay | |
| SagePay | |
| Verisign | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Ọnụ ụzọ ámá Global Data mbụ | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Moneris | |
| Onye nyere ikike.Net | |
| PayPal | |
| Verisign | |
| USAePay | |
| USAePay | |
| Onye nyere ikike.Net | |
| Verisign | |
| PayPal | |
| Onye nyere ikike.Net | |
| straipu | |
| Onye nyere ikike.Net | |
| eWAY ngwa ngwa | |
| SagePay | |
| Onye nyere ikike.Net | |
| Braintree | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Onye nyere ikike.Net | |
| PayPal | |
| Onye nyere ikike.Net | |
| Verisign | |
| PayPal | |
| Onye nyere ikike.Net | |
| straipu | |
| Onye nyere ikike.Net | |
| eWAY ngwa ngwa | |
| SagePay | |
| Onye nyere ikike.Net | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Onye nyere ikike.Net | |
| PayPal | |
| Onye nyere ikike.Net | |
| Verisign | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| SagePay | |
| SagePay | |
| Westpac Payway | |
| akwụ ụgwọ | |
| PayPal | |
| Onye nyere ikike.Net | |
| straipu | |
| Ọnụ ụzọ ámá Global Data mbụ | |
| PsiGate | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Moneris | |
| Onye nyere ikike.Net | |
| SagePay | |
| Verisign | |
| Moneris | |
| PayPal | |
| LinkPoint | |
| Westpac Payway | |
| Onye nyere ikike.Net | |
| Moneris | |
| PayPal | |
| Adyen | |
| PayPal | |
| Onye nyere ikike.Net | |
| USAePay | |
| EBizCharge | |
| Onye nyere ikike.Net | |
| Verisign | |
| Verisign | |
| Onye nyere ikike.Net | |
| PayPal | |
| Moneris | |
| Onye nyere ikike.Net | |
| PayPal | |
| PayPal | |
| Westpac Payway | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| SagePay | |
| Verisign | |
| Onye nyere ikike.Net | |
| PayPal | |
| akwụ ụgwọ | |
| Isi iyi nke Cyber | |
| Payflow Pro | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Verisign | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| SagePay | |
| Onye nyere ikike.Net | |
| straipu | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Verisign | |
| PayPal | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| SagePay | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| PayPal | |
| ọmụ | |
| PayPal | |
| SagePay | |
| Verisign | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| straipu | |
| Zebra mara abụba | |
| SagePay | |
| Onye nyere ikike.Net | |
| Ọnụ ụzọ ámá Global Data mbụ | |
| Onye nyere ikike.Net | |
| eWAY ngwa ngwa | |
| Adyen | |
| PayPal | |
| Ọrụ QuickBooks Ndị Ahịa | |
| Verisign | |
| SagePay | |
| Verisign | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| SagePay | |
| Onye nyere ikike.Net | |
| eWAY ngwa ngwa | |
| Onye nyere ikike.Net | |
| ANZ eGate | |
| PayPal | |
| Isi iyi nke Cyber | |
| Onye nyere ikike.Net | |
| SagePay | |
| Realex | |
| Isi iyi nke Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY ngwa ngwa | |
| SagePay | |
| SagePay | |
| Verisign | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Ọnụ ụzọ ámá Global Data mbụ | |
| Onye nyere ikike.Net | |
| Onye nyere ikike.Net | |
| Moneris | |
| Onye nyere ikike.Net | |
| PayPal |
Okwuntughe sniffer
Otu n'ime uru Javascript sniffers na-arụ ọrụ n'akụkụ ndị ahịa nke weebụsaịtị bụ ntụgharị ya: koodu ọjọọ agbakwunyere na weebụsaịtị nwere ike izu ohi ụdị data ọ bụla, ma ọ bụ ozi ịkwụ ụgwọ ma ọ bụ nbanye na paswọọdụ sitere na akaụntụ onye ọrụ. Ndị ọkachamara otu-IB chọtara ihe nlele nke sniffer nke ezinaụlọ ReactGet, emebere iji zuo adreesị ozi-e na okwuntughe nke ndị ọrụ saịtị.
Njikọ na ImageID sniffer
N'oge nyocha nke otu n'ime ụlọ ahịa ndị butere ọrịa ahụ, achọpụtara na ebe nrụọrụ weebụ ya butere ọrịa ugboro abụọ: na mgbakwunye na koodu ọjọọ nke ReactGet ezinụlọ sniffer, a chọtara koodu nke sniffer ezinụlọ ImageID. Mkpokọta a nwere ike ịbụ ihe akaebe na ndị na-arụ ọrụ n'azụ sniffers abụọ na-eji usoro yiri nke ahụ ịgbanye koodu ọjọọ.
Ihu igwe zuru ụwa ọnụ
N'oge nyocha nke otu aha ngalaba metụtara ReactGet sniffer akụrụngwa, achọpụtara na otu onye ọrụ debanyere aha ngalaba atọ ọzọ. Ngalaba atọ ndị a ṅomiri ngalaba nke saịtị ndị dị adị ma na-ejibu anabata ndị sniffers. Mgbe a na-enyocha koodu saịtị atọ ziri ezi, achọtara sniffer amabeghị, nyocha ndị ọzọ gosiri na nke a bụ ụdị sniffer ReactGet emelitere. Ụdị ụdị ọ bụla a na-enyocha mbụ nke ezinụlọ nke ndị na-amị amị bụ n'otu usoro ịkwụ ụgwọ, ya bụ, a chọrọ ụdị pụrụ iche nke sniffer maka usoro ịkwụ ụgwọ ọ bụla. Otú ọ dị, na nke a, a chọtara nsụgharị zuru ụwa ọnụ nke sniffer, nke nwere ike izu ohi ozi sitere na ụdị ndị metụtara 15 usoro ịkwụ ụgwọ dị iche iche na modul nke saịtị ecommerce maka ịkwụ ụgwọ ịntanetị.
Ya mere, na mmalite nke ọrụ, sniffer na-achọ isi ụdị ubi nwere ozi nke onye a tara ahụhụ: aha zuru ezu, adreesị anụ ahụ, nọmba ekwentị.
Onye sniffer wee nyocha ihe karịrị 15 prefixes dị iche iche dabara na sistemụ ịkwụ ụgwọ dị iche iche yana modul maka ịkwụ ụgwọ ịntanetị.
Na-esote, achịkọtara data nke onye ahụ na ozi ịkwụ ụgwọ ma ziga ya na saịtị nke onye mwakpo ahụ na-achịkwa: n'okwu a, ahụrụ ụdị abụọ ReactGet Universal sniffer dị na saịtị abụọ dị iche iche. Agbanyeghị, ụdịdị abụọ a zigara data ezuru n'otu saịtị ahụ hacked. zoobashop.com.
Ntụle nke prefixes nke onye sniffer na-eji chọta ubi nwere ozi ịkwụ ụgwọ onye ahụ achọpụtara na nlele sniffer a lekwasịrị anya na usoro ịkwụ ụgwọ ndị a:
- Onye nyere ikike.Net
- Verisign
- Ihe mbu
- USAePay
- straipu
- PayPal
- ANZ eGate
- Braintree
- Ego data (MasterCard)
- Paymentskwụ ụgwọ Realex
- PsiGate
- Sistemụ ịkwụ ụgwọ Heartland
Kedu ngwa eji eji ezu ozi ịkwụ ụgwọ
Ngwá ọrụ mbụ achọpụtara n'oge a na-enyocha akụrụngwa nke ndị mwakpo ahụ na-eme ka ọ ghara ikpuchi script ọjọọ nke na-ezu ohi kaadị akụ. Achọtara script bash na-eji CLI ọrụ ahụ n'otu n'ime ndị ọbịa nke ndị mwakpo ahụ. iji mebie koodu sniffer obfuscation.
Emebere ngwaọrụ nke abụọ achọpụtara ka ọ wepụta koodu na-ahụ maka ịkwanye isi sniffer. Ngwá ọrụ a na-ewepụta koodu Javascript nke na-enyocha ma onye ọrụ nọ na ibe ndenye ọpụpụ site na ịchọ adreesị onye ọrụ ugbu a maka eriri. lelee, cart na ihe ndị ọzọ, ma ọ bụrụ na nsonaazụ ya dị mma, mgbe ahụ, koodu ahụ na-ebunye isi ihe na-esi na ihe nkesa onye na-eme ihe ike. Iji zoo ihe omume obi ọjọọ, ahịrị niile, gụnyere ahịrị ule maka ikpebi ibe ịkwụ ụgwọ yana njikọ nke sniffer, na-eji koodu nzuzo. ndabere 64.
Mwakpo phishing
N'oge nyocha nke akụrụngwa netwọkụ nke ndị na-awakpo ahụ, a chọpụtara na ndị omempụ na-ejikarị phishing nweta ohere nchịkwa nchịkwa nke ụlọ ahịa ịntanetị ezubere iche. Ndị mwakpo ahụ debanyere ngalaba nke dị ka ngalaba ụlọ ahịa wee wepụta fọm nbanye Magento admin adịgboroja na ya. Ọ bụrụ na ọ ga-aga nke ọma, ndị mwakpo ahụ ga-enweta ohere na panel admin Magento CMS, nke na-enye ha ikike idezi ihe mejupụtara saịtị wee mejuputa sniffer izu ohi data kaadị kredit.
Akụrụngwa
| Home | Ụbọchị nchoputa/mpụta |
|---|---|
| mediapack.info | 04.05.2017 |
| adgetapi.com | 15.06.2017 |
| simcounter.com | 14.08.2017 |
| mageanalytics.com | 22.12.2017 |
| maxstatics.com | 16.01.2018 |
| reactjsapi.com | 19.01.2018 |
| mxcounter.com | 02.02.2018 |
| apitstatus.com | 01.03.2018 |
| Orderracker.com | 20.04.2018 |
| mkpado.com | 25.06.2018 |
| adsapigate.com | 12.07.2018 |
| Trusttracker.com | 15.07.2018 |
| fbstatspartner.com | 02.10.2018 |
| billgetstatus.com | 12.10.2018 |
| www.aldenmilhouse.com | 20.10.2018 |
| balletbeautlful.com | 20.10.2018 |
| bargalnjunkie.com | 20.10.2018 |
| payselector.com | 21.10.2018 |
| mkpadomediaget.com | 02.11.2018 |
| hs-payments.com | 16.11.2018 |
| ordercheckpays.com | 19.11.2018 |
| geisseie.com | 24.11.2018 |
| gtmproc.com | 29.11.2018 |
| livegetpay.com | 18.12.2018 |
| sydneysalonsupplies.com | 18.12.2018 |
| newrelicnet.com | 19.12.2018 |
| nr-public.com | 03.01.2019 |
| cloudodesc.com | 04.01.2019 |
| ajaxstatic.com | 11.01.2019 |
| livecheckpay.com | 21.01.2019 |
| Asianfoodgracer.com | 25.01.2019 |
G-Analytics ezinụlọ
A na-eji ezinụlọ a nke sniffer zuo kaadị ndị ahịa n'ụlọ ahịa dị n'ịntanetị. Aha ngalaba mbụ ndị otu a ji edebanye aha na Eprel 2016, nke nwere ike igosi mmalite nke mmemme otu ahụ n'etiti afọ 2016.
Na mgbasa ozi ugbu a, otu ahụ na-eji aha ngalaba na-eṅomi ọrụ ndụ dị adị dị ka Google Analytics na jQuery, na-ekpuchi ọrụ sniffer na edemede ziri ezi na aha ngalaba na-ele anya. A wakporo weebụsaịtị ndị na-agba ọsọ n'okpuru CMS Magento.
Otu esi etinye G-Analytics na koodu ụlọ ahịa dị n'ịntanetị
Akụkụ pụrụ iche nke ezinụlọ a bụ iji ụzọ dị iche iche ezuo ozi ịkwụ ụgwọ onye ọrụ. Na mgbakwunye na ogbugba Javascript kpochapụrụ n'ime akụkụ ndị ahịa nke saịtị ahụ, ndị omempụ ahụ jikwa usoro ịgbanye koodu n'akụkụ sava nke saịtị ahụ, ya bụ script PHP nke na-ahazi ntinye onye ọrụ. Usoro a dị ize ndụ n'ihi na ọ na-eme ka o siere ndị nchọpụta ndị ọzọ ike ịchọpụta koodu ọjọọ. Ndị ọkachamara otu-IB chọtara ụdị nke sniffer agbakwunyere na koodu PHP nke saịtị ahụ, na-eji ngalaba ahụ dị ka ọnụ ụzọ ámá. dittm.org.
A chọpụtakwara ụdị mbụ nke onye na-enu ihe nke na-eji otu ngalaba na-anakọta data ezuru. dittm.org, mana echerela ụdị a maka ntinye n'akụkụ ndị ahịa nke ụlọ ahịa ịntanetị.
Mgbe e mesịrị, ìgwè ahụ gbanwere ụzọ ya wee malite ịṅa ntị nke ọma na ikpuchi ihe ọjọọ na ihe mkpuchi.
Na mbido 2017, otu ahụ malitere iji ngalaba ahụ jquery-js.comna-eme ka CDN maka jQuery: na-atụgharị onye ọrụ gaa na saịtị ziri ezi mgbe ọ na-aga na saịtị ọjọọ. jquery.com.
Na n'etiti 2018, otu ahụ nakweere ngalaba aha g-analytics.com wee malite igbanwe ọrụ nke sniffer dị ka ọrụ Google Analytics ziri ezi.
Nyocha ụdị
N'oge nyocha nke ngalaba ndị a na-eji echekwa koodu sniffer, a chọpụtara na saịtị ahụ nwere ọnụ ọgụgụ dị ukwuu nke nsụgharị dị iche iche na ọnụnọ nke obfuscation, yana ọnụnọ ma ọ bụ enweghị koodu enweghị ike agbakwunyere na faịlụ ahụ iji dọpụ uche uche. ma zoo koodu ọjọọ.
Total na saịtị ahụ jquery-js.com Achọpụtara ụdị isii nke sniffers. Ndị sniffer ndị a na-eziga data zuru ezu na adreesị dị n'otu saịtị dị ka sniffer n'onwe ya: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
ngalaba mechara g-analytics.com, nke otu a na-eji na mwakpo kemgbe etiti afọ 2018, na-eje ozi dị ka ebe nchekwa maka ndị ọzọ sniffers. Na mkpokọta, achọpụtara ụdị 16 dị iche iche nke sniffer. N'okwu a, e megharịrị ọnụ ụzọ maka izipu data ezuru dị ka njikọ na onyonyo nke usoro ahụ. GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Enweta ego nke data ezuru
Ndị omempụ ahụ na-enweta data zuru ezu site n'ịre kaadị site na ụlọ ahịa dị n'okpuru ebe a na-emepụta nke ọma na-enye ndị na-ede kaadị ọrụ. Nyocha nke ngalaba ndị mwakpo ahụ ji mee ihe mere ka o kwe omume ịchọpụta nke ahụ google-analytics.cm bụ otu onye ọrụ ka ngalaba ahụ debara aha ya kaadị.vc. Ngalaba kaadị.vc na-ezo aka na Cardsurfs (Flysurfs), ụlọ ahịa na-ere kaadị akụ zuru ezu, bụ nke nwetara ewu ewu n'oge ahịa ahịa AlphaBay dị n'okpuru ala dị ka ụlọ ahịa na-ere kaadị akụ zuru ohi site na iji sniffer.
Na-enyocha ngalaba nyocha.bụ, dị n'otu ihe nkesa dị ka ngalaba nke ndị na-agba ọsọ na-eji na-anakọta data zuru ezu, ndị ọkachamara Group-IB chọtara faịlụ nwere logs kuki na-ezu ohi, nke, ọ dị ka onye mmepụta ahụ gbahapụrụ ya. Otu ndenye dị na ndekọ ahụ nwere ngalaba iozoz.com, nke a na-ejibu eme ihe na otu n'ime ndị na-emepụta ihe na-arụ ọrụ na 2016. Eleghị anya, onye na-awakpo ejiribu ngalaba a na-anakọta kaadị ezuru site na iji sniffer. Edebara aha ngalaba a ka ọ bụrụ adreesị ozi-e [email protected], nke ejirikwa debanye aha ngalaba cardz.su и kaadị.vcmetụtara ụlọ ahịa kaadị Cardsurfs.
Dabere na data enwetara, enwere ike iche na ezinụlọ G-Analytics sniffer na ụlọ akụ kaadị Cardsurfs n'okpuru ala bụ ndị otu ndị na-agba ọsọ, a na-ejikwa ụlọ ahịa na-ere kaadị akụ zuru ohi site na iji sniffer.
Akụrụngwa
| Home | Ụbọchị nchoputa/mpụta |
|---|---|
| iozoz.com | 08.04.2016 |
| dittm.org | 10.09.2016 |
| jquery-js.com | 02.01.2017 |
| g-analytics.com | 31.05.2018 |
| google-analytics.is | 21.11.2018 |
| nyocha.na | 04.12.2018 |
| google-analytics.to | 06.12.2018 |
| google-analytics.cm | 28.12.2018 |
| nyocha.bụ | 28.12.2018 |
| googlelc-analytics.cm | 17.01.2019 |
Ezinụlọ Illum
Illum bụ ezinụlọ nke sniffer na-eji wakpo ụlọ ahịa dị n'ịntanetị na-agba Magento CMS. Na mgbakwunye na iwebata koodu ọjọọ, ndị na-arụ ọrụ nke sniffer a na-ejikwa ntinye nke ụdị ịkwụ ụgwọ adịgboroja zuru oke nke na-eziga data na ọnụ ụzọ ámá nke ndị na-awakpo na-achịkwa.
Mgbe ị na-enyocha akụrụngwa netwọkụ nke ndị na-arụ ọrụ nke sniffer a na-eji, ọnụ ọgụgụ buru ibu nke edemede ọjọọ, ịkpa ókè, ụdị ịkwụ ụgwọ adịgboroja, yana nchịkọta ihe atụ na ndị asọmpi sniffer obi ọjọọ. Dabere na ozi gbasara ụbọchị ngosipụta nke ngalaba aha ndị otu na-eji, enwere ike iche na mmalite nke mkpọsa ahụ dabara na njedebe nke 2016.
Otu esi etinye Illum na koodu ụlọ ahịa dị n'ịntanetị
Ụdị nke mbụ achọpụtara nke sniffer etinyere ozugbo na koodu nke saịtị ahụ mebiri emebi. E zigara ya data zuru cdn.illum[.]pw/records.php, e ji koodu mee ihe n'ọnụ ụzọ ámá ahụ ndabere 64.
Ka oge na-aga, a chọtara ụdị ngwugwu nke sniffer site na iji ọnụ ụzọ dị iche - records.nstatistics[.]com/records.php.
Dị ka Willem de Groot, a na-eji otu onye ọbịa ahụ mee ihe na sniffer nke etinyere na ya , nke otu ndọrọ ndọrọ ọchịchị Germany bụ CSU.
Nyocha saịtị ọgụ
Ndị ọkachamara otu-IB achọpụtala wee nyochaa saịtị ndị otu ndị omekome a na-eji chekwaa ngwa na ịnakọta ozi zuru ezu.
N'ime ngwaọrụ ndị achọtara na ihe nkesa onye mwakpo ahụ, a chọtara scripts na nrigbu maka mmụba ihe ùgwù na Linux OS: dịka ọmụmaatụ, Linux Privilege Escalation Check Script, nke Mike Czumak mepụtara, yana nrigbu maka CVE-2009-1185.
Ndị na-awakpo ahụ jiri ụzọ abụọ ozugbo wakporo ụlọ ahịa dị n'ịntanetị: nwere ike igbanye koodu ojoo n'ime core_config_data site na iji CVE-2016-4010, na-erigbu adịghị ike RCE na Magento CMS plugins, na-enye ohere ka e gbuo koodu aka ike na sava weebụ adịghị ike.
Ọzọkwa, n'oge nyocha nke ihe nkesa, a chọtara ihe atụ dị iche iche nke sniffers na ụdị ịkwụ ụgwọ adịgboroja, nke ndị na-awakpo na-eji na-anakọta ozi ịkwụ ụgwọ site na saịtị ndị hacked. Dị ka ị na-ahụ site na ndepụta dị n'okpuru ebe a, e mepụtara ụfọdụ scripts n'otu n'otu maka saịtị ọ bụla hacked, ebe a na-eji ngwọta zuru ụwa ọnụ maka ụfọdụ CMS na ụzọ nkwụnye ụgwọ. Dịka ọmụmaatụ, scripts segapay_standard.js и segapay_onpage.js emebere ka etinyere na saịtị site na iji ọnụ ụzọ ịkwụ ụgwọ Sage Pay.
Ndepụta nke scripts maka ụzọ ịkwụ ụgwọ dị iche iche
| Ederede | Ọnụ ụzọ ịkwụ ụgwọ |
|---|---|
| [.]pw/mjs_special/visiondirect.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/topdirenshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/tiendalenovo.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/pro-bolt.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/plae.co.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/ottolenghi.co.uk.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/oldtimecandy.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/mylook.ee.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/luluandsky.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/julep.com.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/gymcompany.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/grotekadoshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/fushi.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/faraastflora.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/compuindia.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs/segapay_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/segapay_onpage.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/replace_standard.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs/all_inputs.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/add_inputs_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/magento/payment_standard.js | //cdn.illum[.]pw/records.php |
| [.]pw/magento/payment_redirect.js | // ịkwụ ụgwọ ugbu a[.]cf/? ịkwụ ụgwọ = |
| [.]pw/magento/payment_redcrypt.js | // ịkwụ ụgwọ ugbu a[.]cf/? ịkwụ ụgwọ = |
| [.]pw/magento/payment_forminsite.js | //paymentnow[.]tk/? ịkwụ ụgwọ = |
Onye ọbịa ịkwụ ụgwọ ugbu a[.]tk, eji dị ka ọnụ ụzọ ámá na edemede ịkwụ ụgwọ_forminsite.js, a chọpụtara dị ka isiokwuAltAha n'ọtụtụ asambodo metụtara ọrụ CloudFlare. Na mgbakwunye, edemede ahụ dị na onye ọbịa ọjọọ.js. Na-ekpe ikpe site na aha edemede ahụ, enwere ike iji ya dị ka akụkụ nke iji CVE-2016-4010 eme ihe, ekele maka nke a nwere ike itinye koodu ọjọọ n'ime ala nke saịtị na-agba ọsọ Magento CMS. Edemede a jiri onye ọbịa dị ka ọnụ ụzọ ámá arịrịọ.requestnet[.]tk, na-eji otu asambodo dị ka onye ọbịa ịkwụ ụgwọ ugbu a[.]tk.
Ụdị ịkwụ ụgwọ adịgboroja
Ọnụ ọgụgụ dị n'okpuru na-egosi ihe atụ nke ụdị maka itinye data kaadị. Eji fọm a banye na webụsaịtị ụlọ ahịa dị n'ịntanetị wee zuo data kaadị.
Ọnụọgụ na-esonụ bụ ọmụmaatụ nke ụdị ịkwụ ụgwọ PayPal adịgboroja nke ndị mwakpo ji usoro ịkwụ ụgwọ a banye saịtị.
Akụrụngwa
| Home | Ụbọchị nchoputa/mpụta |
|---|---|
| cdn.illum.pw | 27/11/2016 |
| records.nstatistics.com | 06/09/2018 |
| arịrịọ.payrightnow.cf | 25/05/2018 |
| ịkwụ ụgwọ ugbu a.tk | 16/07/2017 |
| ịkwụ ụgwọ-line.tk | 01/03/2018 |
| Paypal.cf | 04/09/2017 |
| arịrịọnet.tk | 28/06/2017 |
KọfịMokko ezinụlọ
Ezinụlọ CoffeMokko nke sniffers emebere izu ohi kaadị ụlọ akụ nke ndị ọrụ ụlọ ahịa ịntanetị ejirila kemgbe opekata mpe Mee 2017. Eleghị anya, otu ndị omempụ Group 1 nke ndị ọkachamara RiskIQ kọwara na 2016 bụ onye na-ahụ maka ezinụlọ a nke sniffers. A wakporo saịtị ndị na-agba CMS dị ka Magento, OpenCart, WordPress, osCommerce, Shopify.
Kedu ka esi etinye CoffeMokko na koodu ụlọ ahịa dị n'ịntanetị
Ndị na-arụ ọrụ ezinụlọ a na-emepụta sniffers pụrụ iche maka ọrịa ọ bụla: faịlụ sniffer dị na ndekọ aha. src ma ọ bụ js na sava onye mwakpo. A na-eme ntinye n'ime koodu saịtị site na njikọ kpọmkwem na sniffer.
The sniffer code hard-codes aha nke ụdị ubi nke ị chọrọ izu ohi data. Onye na-amị amị na-enyochakwa ma onye ọrụ nọ na ibe ndenye ọpụpụ site na ịlele ndepụta mkpụrụokwu megide adreesị onye ọrụ ugbu a.
Ụfọdụ nsụgharị nke sniffer achọpụtara kpuchiri ma nwee eriri ezoro ezo nke na-echekwa ọtụtụ ihe onwunwe: ọ nwere aha ụdị mpempe akwụkwọ maka usoro ịkwụ ụgwọ dị iche iche, yana adreesị nke ọnụ ụzọ ámá nke kwesịrị iziga data zuru ezu.
E zigara ozi ịkwụ ụgwọ zuru ezu na edemede dị na sava ndị mwakpo ahụ n'ụzọ. /savePayment/index.php ma ọ bụ /tr/index.php. Eleghị anya, a na-eji edemede a zipu data site na ọnụ ụzọ ámá gaa na ihe nkesa bụ isi, nke na-eme ka data sitere na sniffers niile. Iji zoo data ebutere, a na-etinye koodu ịkwụ ụgwọ niile nke onye ihe metụtara ndabere 64, na mgbe ahụ ọtụtụ ngbanwe agwa na-eme:
- ejiri ":" dochie agwa "e"
- ejiri "+" dochie akara "w"
- ejiri "%" dochie agwa "o"
- ejiri "#" dochie agwa "d"
- ejiri "-" dochie agwa "a"
- ejiri "^" dochie akara "7"
- ejiri "_" dochie agwa "h"
- ejiri "@" dochie akara "T" ahụ.
- ejiri "/" dochie agwa "0"
- ejiri "*" dochie agwa "Y"
N'ihi ngbanwe nke agwa etinyere ya ndabere 64 enweghị ike ịmegharị data na-enweghị mgbanwe mgbanwe.
Nke a bụ ka iberi koodu sniffer nke na-ekpuchibeghị isi dị ka:
Nyocha akụrụngwa
Na mkpọsa mbụ, ndị mwakpo ahụ debanyere aha ngalaba dịka nke saịtị ịzụ ahịa n'ịntanetị ziri ezi. Ngalaba ha nwere ike ịdị iche na nke ziri ezi site n'otu agwa ma ọ bụ TLD ọzọ. A na-eji ngalaba edebanyere aha iji chekwaa koodu sniffer, njikọ nke etinyere na koodu ụlọ ahịa.
Otu a jikwa aha ngalaba na-echetara plugins jQuery na-ewu ewu (slickjs[.]org maka saịtị na-eji ngwa mgbakwunye Ugochukwu), ọnụ ụzọ ịkwụ ụgwọ (sagecdn[.]org maka saịtị na-eji usoro ịkwụ ụgwọ Sage Pay).
Mgbe e mesịrị, otu ahụ malitere ịmepụta ngalaba nke aha ha na-enweghị ihe jikọrọ ya na ngalaba ụlọ ahịa ma ọ bụ isiokwu ụlọ ahịa ahụ.
Ngalaba ọ bụla kwekọrọ na saịtị nke e mepụtara ndekọ na ya /js ma ọ bụ / src. A na-echekwa scripts sniffer na ndekọ a: otu sniffer maka ọrịa ọhụrụ ọ bụla. Ewebatara sniffer na koodu saịtị site na njikọ kpọmkwem, mana n'ọnọdụ ndị na-adịghị ahụkebe, ndị mwakpo gbanwere otu faịlụ saịtị wee tinye koodu ọjọọ na ya.
Nyocha koodu
Algorithm mbụ Obfuscation
N'ime ụfọdụ ihe atụ nke sniffer nke ezinụlọ a, koodu ahụ kpuchiri ekpuchi ma nwee data ezoro ezo dị mkpa maka onye sniffer na-arụ ọrụ: karịsịa, adreesị ọnụ ụzọ sniffer, ndepụta nke ụdị ịkwụ ụgwọ, na n'ọnọdụ ụfọdụ, koodu ịkwụ ụgwọ adịgboroja. N'ime koodu dị n'ime ọrụ ahụ, ejiri ezoro ezo ihe ndị ahụ XOR site na igodo nke agafere dị ka arụmụka maka otu ọrụ ahụ.
Site na iji igodo kwekọrọ na decrypting eriri ahụ, pụrụ iche maka nlele nke ọ bụla, ị nwere ike nweta eriri nwere ahịrị niile sitere na koodu sniffer kewapụrụ site na njirimara ihe nchapụta.
Algọridim nhụsianya nke abụọ
N'ihe atụ ndị ọzọ nke ezinụlọ a nke ndị na-agba ọsọ, a na-eji usoro mgbochi dị iche iche eme ihe: na nke a, a na-ezobe data ahụ site na iji algorithm nke onwe ya. Efere eriri nwere data ezoro ezo achọrọ maka sniffer ka ọ rụọ ọrụ dị ka arụmụka maka ọrụ decryption.
Iji ihe njikwa ihe nchọgharị, ị nwere ike mebie data ezoro ezo wee nweta usoro nwere akụrụngwa sniffer.
Njikọ na mbuso agha MageCart
Na nyocha nke otu n'ime ngalaba ndị otu ahụ na-eji dị ka ọnụ ụzọ na-anakọta data zuru ezu, achọpụtara na a na-etinye akụrụngwa maka izu ohi kaadị kredit na ngalaba a, nke yiri nke Group 1, otu n'ime otu mbụ. Ndị ọkachamara RiskIQ.
Achọtara faịlụ abụọ na ndị ọbịa nke ezinụlọ CoffeMokko sniffer:
- maji.js - faịlụ nwere koodu sniffer Group 1 nwere adreesị ọnụ ụzọ js-cdn.njikọ
- mag.php - PHP script maka ịnakọta data nke sniffer zuru
Ọdịnaya nke faịlụ mage.js
E kpebikwara na ngalaba izizi ndị otu nọ n'azụ ezinụlọ CoffeMokko ji sniffer debanye aha na Mee 17, 2017:
- njikọ-js[.] njikọ
- ozi-js[.] njikọ
- track-js[.] njikọ
- map-js[.] njikọ
- smart-js[.] njikọ
Ụdị aha ngalaba ndị a bụ otu aha ngalaba 1 nke ejiri na mwakpo 2016.
Dabere na eziokwu achọpụtara, enwere ike iche na enwere njikọ n'etiti ndị na-arụ ọrụ sniffer CoffeMokko na ndị omempụ Group 1. Eleghị anya, ndị na-arụ ọrụ CoffeMokko nwere ike gbaziri ngwaọrụ na ngwanrọ zuru kaadị n'aka ndị bu ha ụzọ. Otú ọ dị, o yikarịrị ka òtù ndị omempụ na-akpata iji ezinụlọ CoffeMokko sniffers bụ otu ndị ahụ mere mwakpo ahụ dị ka akụkụ nke ọrụ Group 1. Mgbe e bipụtara akụkọ mbụ banyere ọrụ nke òtù ndị omempụ, ha niile. A gbochiri aha ngalaba, a mụọkwa ngwaọrụ ndị ahụ n'ụzọ zuru ezu ma kọwaa ya. A manyere ndị otu ahụ ka ha kwụsịtụ, dozie ngwa ha dị n'ime ma degharịa koodu sniffer iji gaa n'ihu na mwakpo ha ma nọgide na-ahụghị ya.
Akụrụngwa
| Home | Ụbọchị nchoputa/mpụta |
|---|---|
| njikọ-js.njikọ | 17.05.2017 |
| ozi-js.link | 17.05.2017 |
| track-js.link | 17.05.2017 |
| map-js.njikọ | 17.05.2017 |
| smart-js.njikọ | 17.05.2017 |
| adorebeauty.org | 03.09.2017 |
| nche-ụgwọ.su | 03.09.2017 |
| braincdn.org | 04.09.2017 |
| sagecdn.org | 04.09.2017 |
| slickjs.org | 04.09.2017 |
| oakandfort.org | 10.09.2017 |
| citywlnery.org | 15.09.2017 |
| dobell.su | 04.10.2017 |
| childrensplayclothing.org | 31.10.2017 |
| jewsondirect.com | 05.11.2017 |
| shop-rnib.org | 15.11.2017 |
| closetlondon.org | 16.11.2017 |
| misshaus.org | 28.11.2017 |
| batrị-force.org | 01.12.2017 |
| kik-vape.org | 01.12.2017 |
| greatfurnituretradingco.org | 02.12.2017 |
| etradesupply.org | 04.12.2017 |
| replacemyremote.org | 04.12.2017 |
| all-about-sneakers.org | 05.12.2017 |
| mage-checkout.org | 05.12.2017 |
| nililotan.org | 07.12.2017 |
| lamoodbighat.net | 08.12.2017 |
| walletgear.org | 10.12.2017 |
| dahlie.org | 12.12.2017 |
| davidsfootwear.org | 20.12.2017 |
| blackriverimaging.org | 23.12.2017 |
| exrpesso.org | 02.01.2018 |
| ogige.su | 09.01.2018 |
| pmtonline.com | 12.01.2018 |
| otocap.org | 15.01.2018 |
| christohperward.org | 27.01.2018 |
| kọfị.org | 31.01.2018 |
| Energycoffe.org | 31.01.2018 |
| energytea.org | 31.01.2018 |
| teacoffe.net | 31.01.2018 |
| adaptivecss.org | 01.03.2018 |
| coffemokko.com | 01.03.2018 |
| londontea.net | 01.03.2018 |
| ukcoffe.com | 01.03.2018 |
| labbe.biz | 20.03.2018 |
| batrịnart.com | 03.04.2018 |
| btosports.net | 09.04.2018 |
| chicksaddlery.net | 16.04.2018 |
| paypaypay.org | 11.05.2018 |
| ar500arnor.com | 26.05.2018 |
| ikikecdn.com | 28.05.2018 |
| slickmin.com | 28.05.2018 |
| bannerbuzz.info | 03.06.2018 |
| kandypens.net | 08.06.2018 |
| mylrendyphone.com | 15.06.2018 |
| freshchat.info | 01.07.2018 |
| 3lift.org | 02.07.2018 |
| abtasty.net | 02.07.2018 |
| mechat.info | 02.07.2018 |
| zoplm.com | 02.07.2018 |
| zapaljs.com | 02.09.2018 |
| foodandcott.com | 15.09.2018 |
| freshdepor.com | 15.09.2018 |
| swappastore.com | 15.09.2018 |
| verywellfitness.com | 15.09.2018 |
| elegrina.com | 18.11.2018 |
| majsurplus.com | 19.11.2018 |
| top5value.com | 19.11.2018 |
isi: www.habr.com