Meh kabeh kita nggunakake layanan toko online, sing tegese cepet utawa mengko kita ngalami risiko dadi korban sniffers JavaScript - kode khusus sing dileksanakake panyerang ing situs web kanggo nyolong data kertu bank, alamat, login lan sandhi pangguna. .
Meh 400 pangguna situs web lan aplikasi seluler British Airways wis kena pengaruh sniffers, uga pengunjung situs web Inggris raksasa olahraga FILA lan distributor tiket Amerika Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - iki lan akeh sistem pembayaran liyane sing kena infeksi.
Analis Ancaman Intelligence Group-IB Viktor Okorokov ngomong babagan carane sniffers nyusup kode situs web lan nyolong informasi pembayaran, uga CRMs sing nyerang.
"Ancaman sing didhelikake"
Kedaden sing kanggo dangu JS sniffers tetep metu saka ngarsane analis anti-virus, lan bank-bank lan sistem pembayaran ora ndeleng wong minangka ancaman serius. Lan rampung muspra. Pakar Group-IB 2440 toko online sing kena infeksi, sing pengunjung - total udakara 1,5 yuta wong saben dina - ana risiko kompromi. Antarane korban ora mung pangguna, nanging uga toko online, sistem pembayaran lan bank-bank sing ngetokake kertu kompromi.
Group-IB dadi sinau pisanan babagan pasar darknet kanggo sniffers, infrastruktur lan cara monetisasi, sing ngasilake jutaan dolar. Kita nemtokake 38 kulawarga sniffers, sing mung 12 sing sadurunge dikenal dening peneliti.
Ayo kita ngrembug kanthi rinci babagan papat kulawarga sniffer sing diteliti sajrone sinau.
ReactGet Family
Sniffers saka kulawarga ReactGet digunakake kanggo nyolong data kertu bank ing situs blanja online. Sniffer bisa nggarap akeh sistem pembayaran sing beda-beda sing digunakake ing situs kasebut: siji nilai parameter cocog karo siji sistem pembayaran, lan versi sniffer sing dideteksi individu bisa digunakake kanggo nyolong kredensial, uga kanggo nyolong data kertu bank saka pembayaran. wangun sawetara sistem pembayaran bebarengan, kaya sing disebut universal sniffer. Ditemokake yen ing sawetara kasus, panyerang nindakake serangan phishing marang pangurus toko online supaya bisa ngakses panel administratif situs kasebut.
Kampanye nggunakake kulawarga sniffers iki diwiwiti ing Mei 2017; situs sing nganggo platform CMS lan Magento, Bigcommerce, lan Shopify diserang.
Carane ReactGet dileksanakake menyang kode toko online
Saliyane implementasi "klasik" saka skrip liwat link, operator saka kulawarga sniffers ReactGet nggunakake teknik khusus: nggunakake kode JavaScript, padha mriksa apa alamat saiki ing ngendi pangguna ketemu kritéria tartamtu. Kode angkoro mung bakal dieksekusi yen substring ana ing URL saiki deloken utawa siji langkah checkout, siji kaca/, metu / siji, checkout / siji, ckout / siji. Mangkono, kode sniffer bakal dileksanakake persis ing wayahe nalika pangguna nerusake kanggo mbayar tumbas lan ngetik informasi pembayaran menyang formulir ing situs.
Sniffer iki nggunakake teknik non-standar. Pembayaran lan data pribadhi korban dikumpulake lan dikodekake nggunakake base64, banjur senar sing diasilake digunakake minangka parameter kanggo ngirim panjalukan menyang situs web penyerang. Paling asring, path menyang gapura niru file JavaScript, contone resp.js, data.js lan liya-liyane, nanging pranala menyang file gambar uga digunakake, GIF и JPG. Keanehan yaiku sniffer nggawe obyek gambar kanthi ukuran 1 x 1 piksel lan nggunakake tautan sing ditampa sadurunge minangka parameter. src Gambar. Yaiku, kanggo pangguna, panyuwunan kasebut ing lalu lintas bakal katon kaya panyuwunan kanggo gambar biasa. Teknik sing padha digunakake ing kulawarga sniffers ImageID. Kajaba iku, teknik nggunakake gambar 1 dening 1 piksel digunakake ing akeh skrip analitik online sing sah, sing uga bisa nyasarake pangguna.
Analisis versi
Analisis domain aktif sing digunakake dening operator sniffer ReactGet ngungkapake macem-macem versi saka kulawarga sniffers iki. Versi beda-beda ing ngarsane utawa ora ana obfuscation, lan ing Kajaba iku, saben sniffer dirancang kanggo sistem pembayaran tartamtu sing proses pembayaran kertu bank kanggo toko online. Sawise ngurutake nilai parameter sing cocog karo nomer versi, spesialis Group-IB nampa dhaptar lengkap variasi sniffer sing kasedhiya, lan kanthi jeneng kolom formulir sing digoleki saben sniffer ing kode kaca, dheweke ngenali sistem pembayaran. sing dituju sniffer.
Dhaptar sniffers lan sistem pembayaran sing cocog
| URL Sniffer | Sistem pambayaran |
|---|---|
| Authorize.Net | |
| Simpenan kertu | |
| Authorize.Net | |
| Authorize.Net | |
| eWAY Rapid | |
| Authorize.Net | |
| Adyen | |
| USAePay | |
| Authorize.Net | |
| USAePay | |
| Authorize.Net | |
| Moneris | |
| USAePay | |
| PayPal | |
| Sage Pay | |
| Verisign | |
| PayPal | |
| Stripe | |
| Realex | |
| PayPal | |
| LinkPoint | |
| PayPal | |
| PayPal | |
| DataCash | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Moneris | |
| Sage Pay | |
| USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| Authorize.Net | |
| Moneris | |
| Sage Pay | |
| Sage Pay | |
| Chase Paymenttech | |
| Authorize.Net | |
| Adyen | |
| PsiGate | |
| Sumber Cyber | |
| ANZ eGate | |
| Realex | |
| USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| PayPal | |
| Realex | |
| Sage Pay | |
| PayPal | |
| Verisign | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Sumber Cyber | |
| Authorize.Net | |
| Sage Pay | |
| Realex | |
| Sumber Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Rapid | |
| Sage Pay | |
| Sage Pay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| Moneris | |
| Authorize.Net | |
| PayPal | |
| Verisign | |
| USAePay | |
| USAePay | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| Stripe | |
| Authorize.Net | |
| eWAY Rapid | |
| Sage Pay | |
| Authorize.Net | |
| Braintree | |
| Braintree | |
| PayPal | |
| Sage Pay | |
| Sage Pay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| Stripe | |
| Authorize.Net | |
| eWAY Rapid | |
| Sage Pay | |
| Authorize.Net | |
| Braintree | |
| PayPal | |
| Sage Pay | |
| Sage Pay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Sage Pay | |
| Sage Pay | |
| Westpac PayWay | |
| PayFort | |
| PayPal | |
| Authorize.Net | |
| Stripe | |
| First Data Global Gateway | |
| PsiGate | |
| Authorize.Net | |
| Authorize.Net | |
| Moneris | |
| Authorize.Net | |
| Sage Pay | |
| Verisign | |
| Moneris | |
| PayPal | |
| LinkPoint | |
| Westpac PayWay | |
| Authorize.Net | |
| Moneris | |
| PayPal | |
| Adyen | |
| PayPal | |
| Authorize.Net | |
| USAePay | |
| EBizCharge | |
| Authorize.Net | |
| Verisign | |
| Verisign | |
| Authorize.Net | |
| PayPal | |
| Moneris | |
| Authorize.Net | |
| PayPal | |
| PayPal | |
| Westpac PayWay | |
| Authorize.Net | |
| Authorize.Net | |
| Sage Pay | |
| Verisign | |
| Authorize.Net | |
| PayPal | |
| PayFort | |
| Sumber Cyber | |
| PayPal Payflow Pro | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| Sage Pay | |
| Authorize.Net | |
| Stripe | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| Sage Pay | |
| Authorize.Net | |
| Authorize.Net | |
| PayPal | |
| Flint | |
| PayPal | |
| Sage Pay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| Stripe | |
| Zebra Lemu | |
| Sage Pay | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| eWAY Rapid | |
| Adyen | |
| PayPal | |
| Layanan Pedagang QuickBooks | |
| Verisign | |
| Sage Pay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| Sage Pay | |
| Authorize.Net | |
| eWAY Rapid | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Sumber Cyber | |
| Authorize.Net | |
| Sage Pay | |
| Realex | |
| Sumber Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Rapid | |
| Sage Pay | |
| Sage Pay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| Moneris | |
| Authorize.Net | |
| PayPal |
Sandi sniffer
Salah sawijining kaluwihan sniffers JavaScript sing digunakake ing sisih klien situs web yaiku fleksibilitas: kode angkoro sing dipasang ing situs web bisa nyolong jinis data apa wae, yaiku data pembayaran utawa login lan sandhi akun pangguna. Spesialis Group-IB nemokake conto sniffer saka kulawarga ReactGet, sing dirancang kanggo nyolong alamat email lan sandhi pangguna situs.
Persimpangan karo ImageID sniffer
Sajrone analisis salah sawijining toko sing kena infeksi, ditemokake yen situs web kasebut kena infeksi kaping pindho: saliyane kode jahat saka sniffer kulawarga ReactGet, kode sniffer kulawarga ImageID dideteksi. Tumpang tindih iki bisa dadi bukti yen operator konco loro sniffers nggunakake Techniques padha kanggo inject kode angkoro.
Universal sniffer
Analisis salah sawijining jeneng domain sing ana gandhengane karo infrastruktur sniffer ReactGet nuduhake manawa pangguna sing padha wis ndhaptar telung jeneng domain liyane. Telung domain iki niru domain situs web nyata lan sadurunge digunakake kanggo dadi host sniffers. Nalika nganalisa kode saka telung situs sing sah, dideteksi sniffer sing ora dingerteni, lan analisis luwih lanjut nuduhake yen iku versi sing luwih apik saka sniffer ReactGet. Kabeh versi sadurunge ngawasi saka kulawarga sniffers iki ngarahke ing sistem pembayaran siji, sing, saben sistem pembayaran mbutuhake versi khusus saka sniffer. Nanging, ing kasus iki, versi universal sniffer ditemokake sing bisa nyolong informasi saka formulir sing ana gandhengane karo 15 sistem pembayaran lan modul situs e-commerce sing beda kanggo nggawe pembayaran online.
Dadi, ing wiwitan karya, sniffer nggolek kolom formulir dhasar sing ngemot informasi pribadhi korban: jeneng lengkap, alamat fisik, nomer telpon.
Sniffer banjur nelusuri luwih saka 15 ater-ater sing beda-beda sing cocog karo sistem pembayaran lan modul pembayaran online sing beda.
Sabanjure, data pribadhi lan informasi pembayaran korban dikumpulake lan dikirim menyang situs sing dikontrol dening panyerang: ing kasus tartamtu iki, rong versi sniffer ReactGet universal ditemokake, dumunung ing rong situs sing disusupi. Nanging, versi loro kasebut ngirim data sing dicolong menyang situs sing disusupi sing padha zoobashop.com.
Analisis prefiks sing digunakake sniffer kanggo nggoleki kolom sing ngemot informasi pembayaran korban ngidini kita nemtokake manawa sampel sniffer iki dituju ing sistem pembayaran ing ngisor iki:
- Authorize.Net
- Verisign
- Data Kapisan
- USAePay
- Stripe
- PayPal
- ANZ eGate
- Braintree
- DataCash (MasterCard)
- Pembayaran Realex
- PsiGate
- Sistem Pembayaran Heartland
Piranti apa sing digunakake kanggo nyolong informasi pembayaran?
Alat pisanan, sing ditemokake sajrone analisis infrastruktur panyerang, digunakake kanggo mbingungake skrip jahat sing tanggung jawab kanggo nyolong kertu bank. Skrip bash nggunakake CLI proyek ditemokake ing salah sawijining host penyerang kanggo ngotomatisasi obfuscation kode sniffer.
Alat sing ditemokake kapindho dirancang kanggo ngasilake kode sing tanggung jawab kanggo ngemot sniffer utama. Alat iki ngasilake kode JavaScript sing mriksa manawa pangguna ana ing kaca pembayaran kanthi nggoleki alamat pangguna saiki kanggo senar. deloken, cart lan sateruse, lan yen asil positif, banjur kode mbukak sniffer utama saka server panyerang. Kanggo ndhelikake kegiatan angkoro, kabeh baris, kalebu garis tes kanggo nemtokake kaca pembayaran, uga link menyang sniffer, dienkode nggunakake base64.
Serangan phishing
Analisis infrastruktur jaringan panyerang nuduhake manawa klompok kriminal asring nggunakake phishing kanggo entuk akses menyang panel administratif toko online target. Penyerang ndhaptar domain sing katon padha karo domain toko, banjur masang formulir login panel administrasi Magento palsu. Yen sukses, panyerang bakal entuk akses menyang panel administratif Magento CMS, sing menehi kesempatan kanggo nyunting komponen situs web lan ngetrapake sniffer kanggo nyolong data kertu kredit.
Infrastruktur
| Домен | Tanggal ditemokake / katon |
|---|---|
| mediapack.info | 04.05.2017 |
| adsgetapi.com | 15.06.2017 |
| simcounter.com | 14.08.2017 |
| mageanalytics.com | 22.12.2017 |
| maxstatics.com | 16.01.2018 |
| reactjsapi.com | 19.01.2018 |
| mxcounter.com | 02.02.2018 |
| apitstatus.com | 01.03.2018 |
| orderracker.com | 20.04.2018 |
| tagtracking.com | 25.06.2018 |
| adsapigate.com | 12.07.2018 |
| trust-tracker.com | 15.07.2018 |
| fbstatspartner.com | 02.10.2018 |
| billgetstatus.com | 12.10.2018 |
| www.aldenmlilhouse.com | 20.10.2018 |
| balletbeautlful.com | 20.10.2018 |
| bargaljunkie.com | 20.10.2018 |
| payselector.com | 21.10.2018 |
| tagsmediaget.com | 02.11.2018 |
| hs-payments.com | 16.11.2018 |
| ordercheckpays.com | 19.11.2018 |
| geisseie.com | 24.11.2018 |
| gtmproc.com | 29.11.2018 |
| livegetpay.com | 18.12.2018 |
| sydneysalonsupplies.com | 18.12.2018 |
| newrelicnet.com | 19.12.2018 |
| nr-public.com | 03.01.2019 |
| cloudodesc.com | 04.01.2019 |
| ajaxstatic.com | 11.01.2019 |
| livecheckpay.com | 21.01.2019 |
| asianfoodgracer.com | 25.01.2019 |
Kulawarga G-Analytics
Kulawarga sniffers iki digunakake kanggo nyolong kertu pelanggan saka toko online. Jeneng domain pisanan sing digunakake dening grup kasebut didaftar ing April 2016, sing bisa uga nuduhake yen grup kasebut wiwit aktif ing pertengahan 2016.
Ing kampanye saiki, grup nggunakake jeneng domain sing niru layanan nyata, kayata Google Analytics lan jQuery, masking aktivitas sniffers karo skrip sah lan jeneng domain padha sing sah. Situs sing nganggo Magento CMS diserang.
Kepiye G-Analytics dileksanakake ing kode toko online
Fitur khas kulawarga iki yaiku nggunakake macem-macem cara kanggo nyolong informasi pembayaran pangguna. Saliyane injeksi klasik kode JavaScript menyang sisih klien situs kasebut, klompok kriminal uga nggunakake teknik injeksi kode menyang sisih server situs kasebut, yaiku skrip PHP sing ngolah data sing dilebokake pangguna. Teknik iki mbebayani amarga nggawe angel kanggo peneliti pihak katelu kanggo ndeteksi kode ala. Spesialis Group-IB nemokake versi sniffer sing dipasang ing kode PHP situs, nggunakake domain minangka gerbang. dittm.org.
Versi awal sniffer uga ditemokake sing nggunakake domain sing padha kanggo ngumpulake data sing dicolong dittm.org, nanging versi iki dimaksudaké kanggo instalasi ing sisih klien saka toko online.
Klompok kasebut banjur ngganti taktik lan luwih fokus kanggo ndhelikake kegiatan ala lan kamuflase.
Ing wiwitan taun 2017, grup kasebut wiwit nggunakake domain kasebut jquery-js.com, masquerading minangka CDN kanggo jQuery: nalika arep menyang situs penyerang, pangguna dialihake menyang situs sing sah jquery.com.
Lan ing pertengahan 2018, grup kasebut nggunakake jeneng domain g-analytics.com lan wiwit nyamarake aktivitas sniffer minangka layanan Google Analytics sing sah.
Analisis versi
Sajrone analisis domain sing digunakake kanggo nyimpen kode sniffer, ditemokake yen situs kasebut ngemot akeh versi, sing beda-beda ing ngarsane obfuscation, uga ana utawa ora ana kode sing ora bisa digayuh sing ditambahake menyang file kanggo ngganggu perhatian. lan ndhelikake kode angkoro.
Total ing situs iki jquery-js.com Enem versi sniffers diidentifikasi. Sniffers iki ngirim data sing dicolong menyang alamat sing ana ing situs web sing padha karo sniffer kasebut: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
domain mengko g-analytics.com, digunakake dening grup ing serangan wiwit pertengahan 2018, serves minangka gudang kanggo sniffers liyane. Secara total, 16 versi sniffer sing beda ditemokake. Ing kasus iki, gerbang kanggo ngirim data sing dicolong disamarake minangka link menyang format gambar GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Monetisasi data sing dicolong
Klompok kriminal monetizes data sing dicolong kanthi adol kertu liwat toko lemah sing digawe khusus sing nyedhiyakake layanan kanggo tukang kartu. Analisis domain sing digunakake dening panyerang ngidini kita nemtokake manawa google-analytics.cm didaftar dening pangguna sing padha karo domain kasebut cardz.vc. Domain cardz.vc nuduhake toko sade kertu bank dicolong Cardsurfs (Flysurfs), kang gained popularitas bali ing dina saka kegiatan saka platform dagang lemah AlphaBay minangka toko sade kertu bank dicolong nggunakake sniffer a.
Nganalisis domain analitik.is, dumunung ing server sing padha karo domain sing digunakake dening sniffers kanggo ngumpulake data sing dicolong, spesialis Group-IB nemokake file sing ngemot log cookie stealer, sing katon mengko ditinggalake dening pangembang. Salah sawijining entri ing log ngemot domain iozoz.com, sing sadurunge digunakake ing salah sawijining sniffers aktif ing 2016. Mesthine, domain iki sadurunge digunakake dening panyerang kanggo ngumpulake kertu sing dicolong nggunakake sniffer. Domain iki didaftar menyang alamat email [email dilindhungi], sing uga digunakake kanggo ndhaftar domain cardz.su и cardz.vc, related kanggo nyimpen carding Cardsurfs.
Adhedhasar data sing dipikolehi, bisa dianggep yen kulawarga G-Analytics sniffers lan toko lemah sing adol kertu bank Cardsurfs dikelola dening wong sing padha, lan toko digunakake kanggo ngedol kertu bank sing dicolong nggunakake sniffer.
Infrastruktur
| Домен | Tanggal ditemokake / katon |
|---|---|
| iozoz.com | 08.04.2016 |
| dittm.org | 10.09.2016 |
| jquery-js.com | 02.01.2017 |
| g-analytics.com | 31.05.2018 |
| google-analytics.is | 21.11.2018 |
| analitik.kanggo | 04.12.2018 |
| google-analytics.to | 06.12.2018 |
| google-analytics.cm | 28.12.2018 |
| analitik.is | 28.12.2018 |
| googlc-analytics.cm | 17.01.2019 |
kulawarga Illum
Illum minangka kulawarga sniffer sing digunakake kanggo nyerang toko online sing nganggo Magento CMS. Saliyane ngenalake kode jahat, operator sniffer iki uga nggunakake introduksi formulir pembayaran palsu lengkap sing ngirim data menyang gerbang sing dikontrol dening penyerang.
Nalika nganalisa infrastruktur jaringan sing digunakake dening operator sniffer iki, akeh skrip jahat, eksploitasi, formulir pembayaran palsu, uga koleksi conto karo sniffers angkoro saka saingan. Adhedhasar informasi babagan tanggal tampilan jeneng domain sing digunakake dening grup kasebut, bisa dianggep yen kampanye kasebut diwiwiti ing pungkasan taun 2016.
Carane Illum dileksanakake menyang kode toko online
Versi pisanan saka sniffer sing ditemokake ditempelake langsung menyang kode situs sing dikompromi. Data sing dicolong dikirim menyang cdn.illum[.]pw/records.php, gapura iki dienkode nggunakake base64.
Mengko, versi paket sniffer ditemokake sing nggunakake gerbang sing beda - records.nstatistics[.]com/records.php.
Miturut Willem de Groot, inang padha digunakake ing sniffer, kang dipun ginakaken ing , diduweni dening partai politik Jerman CSU.
Analisis situs web penyerang
Spesialis Group-IB nemokake lan nganalisa situs web sing digunakake dening klompok kriminal iki kanggo nyimpen alat lan ngumpulake informasi sing dicolong.
Antarane alat sing ditemokake ing server penyerang yaiku skrip lan eksploitasi kanggo nambah hak istimewa ing OS Linux: contone, Linux Privilege Escalation Check Script sing dikembangake dening Mike Czumak, uga eksploitasi kanggo CVE-2009-1185.
Penyerang nggunakake rong eksploitasi langsung kanggo nyerang toko online: saged nyuntikaken kode angkoro menyang inti_config_data kanthi eksploitasi CVE-2016-4010, ngeksploitasi kerentanan RCE ing plugins kanggo CMS Magento, ngidini kode sewenang-wenang bisa dieksekusi ing server web sing rawan.
Uga, sajrone analisis server, macem-macem conto sniffers lan formulir pembayaran palsu ditemokake, digunakake dening panyerang kanggo ngumpulake informasi pembayaran saka situs sing disusupi. Minangka sampeyan bisa ndeleng saka dhaptar ing ngisor iki, sawetara skrip digawe kanthi individu kanggo saben situs sing disusupi, dene solusi universal digunakake kanggo CMS lan gateway pembayaran tartamtu. Contone, skrip segapay_standart.js и segapay_onpage.js dirancang kanggo implementasine ing situs nggunakake gateway pembayaran Sage Pay.
Dhaptar skrip kanggo macem-macem gateway pembayaran
| Skripsi | Payment gateway |
|---|---|
| [.]pw/mjs_special/visiondirect.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/topdierenshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/tiendalenovo.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/pro-bolt.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/plae.co.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/ottolenghi.co.uk.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/oldtimecandy.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/mylook.ee.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/luluandsky.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/julep.com.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/gymcompany.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/grotekadoshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/fushi.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/fareastflora.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/compuindia.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs/segapay_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/segapay_onpage.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/replace_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs/all_inputs.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/add_inputs_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/magento/payment_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/magento/payment_redirect.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_redcrypt.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_forminsite.js | //paymentnow[.]tk/?payment= |
Host pembayaran saiki[.]tk, digunakake minangka gapura ing script payment_forminsite.js, ditemokaké minangka subyekAltName ing sawetara sertifikat sing ana gandhengane karo layanan CloudFlare. Kajaba iku, host ngemot naskah ala.js. Ditilik kanthi jeneng skrip, bisa digunakake minangka bagean saka eksploitasi CVE-2016-4010, amarga bisa nyuntikake kode jahat menyang footer situs sing nganggo CMS Magento. Tuan rumah nggunakake skrip iki minangka gerbang request.requestnet[.]tknggunakake sertifikat sing padha karo host pembayaran saiki[.]tk.
Formulir pembayaran palsu
Gambar ing ngisor iki nuduhake conto formulir kanggo ngetik data kertu. Formulir iki digunakake kanggo nyusup toko online lan nyolong data kertu.
Tokoh ing ngisor iki nuduhake conto formulir pembayaran PayPal palsu sing digunakake dening panyerang kanggo nyusup situs kanthi cara pembayaran iki.
Infrastruktur
| Домен | Tanggal ditemokake / katon |
|---|---|
| cdn.illum.pw | 27/11/2016 |
| records.nstatistics.com | 06/09/2018 |
| request.payrightnow.cf | 25/05/2018 |
| paymentnow.tk | 16/07/2017 |
| pembayaran-line.tk | 01/03/2018 |
| paymentpal.cf | 04/09/2017 |
| requestnet.tk | 28/06/2017 |
CoffeeMokko kulawarga
Kulawarga sniffers CoffeMokko, dirancang kanggo nyolong kertu bank saka pangguna toko online, wis digunakake wiwit paling ora Mei 2017. Mesthine, operator kulawarga sniffer iki yaiku klompok kriminal Grup 1, sing diterangake dening spesialis RiskIQ ing 2016. Situs sing nganggo CMS kayata Magento, OpenCart, WordPress, osCommerce, lan Shopify diserang.
Carane CoffeMokko dileksanakake menyang kode toko online
Operator saka kulawarga iki nggawe sniffers unik kanggo saben infèksi: file sniffer dumunung ing direktori src utawa js ing server penyerang. Penggabungan menyang kode situs ditindakake liwat link langsung menyang sniffer.
Kode sniffer hardcode jeneng kolom formulir saka data sing kudu dicolong. Sniffer uga mriksa manawa pangguna ana ing kaca pambayaran kanthi mriksa dhaptar tembung kunci kanthi alamat pangguna saiki.
Sawetara versi sniffer sing ditemokake diblokir lan ngemot senar sing dienkripsi ing ngendi sumber daya utama disimpen: ngemot jeneng kolom formulir kanggo macem-macem sistem pembayaran, uga alamat gerbang sing ngirim data sing dicolong.
Informasi pembayaran sing dicolong dikirim menyang skrip ing server penyerang ing dalan /savePayment/index.php utawa /tr/index.php. Mesthine, skrip iki digunakake kanggo ngirim data saka gerbang menyang server utama, sing nggabungake data saka kabeh sniffers. Kanggo ndhelikake data sing dikirim, kabeh informasi pembayaran saka korban dienkripsi nggunakake base64, lan banjur ana sawetara substitusi karakter:
- aksara "e" diganti karo ":"
- simbol "w" diganti karo "+"
- aksara "o" diganti karo "%"
- aksara "d" diganti karo "#"
- aksara "a" diganti karo "-"
- simbol "7" diganti karo "^"
- aksara "h" diganti karo "_"
- simbol "T" diganti karo "@"
- karakter "0" diganti karo "/"
- karakter "Y" diganti karo "*"
Minangka asil substitusi karakter dienkode nggunakake base64 Data ora bisa decoded tanpa nindakake konversi mbalikke.
Iki minangka fragmen kode sniffer sing durung diobong:
Analisis Infrastruktur
Ing kampanye awal, penyerang ndhaptar jeneng domain sing padha karo situs belanja online sing sah. Domain kasebut bisa beda karo simbol siji-siji sing sah utawa TLD liyane. Domain kadhaptar digunakake kanggo nyimpen kode sniffer, link sing ditempelake ing kode toko.
Grup iki uga nggunakake jeneng domain kaya plugin jQuery populer (slickjs[.]org kanggo situs nggunakake plugin lunyu.js), gateway pembayaran (sagecdn[.]org kanggo situs nggunakake sistem pembayaran Sage Pay).
Banjur, grup kasebut wiwit nggawe domain sing jenenge ora ana hubungane karo domain toko utawa tema toko.
Saben domain cocog karo situs sing direktori digawe /js utawa / src. Skrip sniffer disimpen ing direktori iki: siji sniffer kanggo saben infèksi anyar. Sniffer kasebut diselehake ing kode situs web liwat tautan langsung, nanging ing kasus sing jarang, panyerang ngowahi salah sawijining file situs web lan nambah kode jahat.
Analisis Kode
Algoritma obfuscation pisanan
Ing sawetara conto sing ditemokake saka sniffers saka kulawarga iki, kode kasebut dibuwang lan ngemot data sing dienkripsi sing perlu kanggo sniffer bisa digunakake: utamane, alamat gerbang sniffer, dhaptar kolom formulir pembayaran, lan ing sawetara kasus, kode palsu. wangun pembayaran. Ing kode nang fungsi kasebut, sumber daya dienkripsi nggunakake XOR dening tombol sing diterusake minangka argumen kanggo fungsi sing padha.
Kanthi decrypting senar karo tombol cocok, unik kanggo saben sampel, sampeyan bisa njaluk senar ngemot kabeh strings saka kode sniffer dipisahake dening karakter separator.
Algoritma obfuscation kapindho
Ing conto mengko saka sniffers kulawarga iki, mekanisme obfuscation beda digunakake: ing kasus iki, data dienkripsi nggunakake algoritma poto-ditulis. Senar sing ngemot data sing dienkripsi sing perlu kanggo sniffer bisa digunakake minangka argumen kanggo fungsi dekripsi.
Nggunakake konsol browser, sampeyan bisa dekripsi data sing dienkripsi lan entuk array sing ngemot sumber daya sniffer.
Sambungan menyang serangan MageCart awal
Sajrone analisis salah sawijining domain sing digunakake dening grup minangka gateway kanggo ngumpulake data sing dicolong, ditemokake yen domain iki dadi tuan rumah infrastruktur kanggo nyolong kertu kredit, padha karo sing digunakake dening Grup 1, salah siji saka klompok pisanan, dening spesialis RiskIQ.
Rong file ditemokake ing host saka kulawarga sniffers CoffeMokko:
- mage.js - file sing ngemot kode sniffer Grup 1 kanthi alamat gerbang js-cdn.link
- mag.php — Skrip PHP sing tanggung jawab kanggo ngumpulake data sing dicolong dening sniffer
Isi file mage.js
Uga ditemtokake manawa domain paling wiwitan sing digunakake dening grup ing mburi kulawarga sniffers CoffeMokko didaftar ing 17 Mei 2017:
- link-js[.]link
- info-js[.]link
- track-js[.]link
- map-js[.]link
- smart-js[.]link
Format jeneng domain kasebut cocog karo jeneng domain Grup 1 sing digunakake ing serangan 2016.
Adhedhasar kasunyatan sing ditemokake, bisa dianggep ana hubungane antarane operator sniffers CoffeMokko lan klompok kriminal Grup 1. Mesthine, operator CoffeMokko bisa nyilih piranti lan piranti lunak saka para leluhur kanggo nyolong kertu. Nanging, luwih akeh manawa klompok kriminal sing nggunakake kulawarga sniffers CoffeMokko yaiku wong sing padha sing nindakake serangan Grup 1. Sawise publikasi laporan pisanan babagan aktivitas klompok kriminal kasebut, kabeh jeneng domain kasebut padha. diblokir lan piranti kasebut disinaoni kanthi rinci lan dijlentrehake. Klompok kasebut dipeksa ngaso, nyempurnakake alat internal lan nulis maneh kode sniffer supaya bisa nerusake serangan lan tetep ora dideteksi.
Infrastruktur
| Домен | Tanggal ditemokake / katon |
|---|---|
| link-js.link | 17.05.2017 |
| info-js.link | 17.05.2017 |
| track-js.link | 17.05.2017 |
| map-js.link | 17.05.2017 |
| pinter-js.link | 17.05.2017 |
| adorebeauty.org | 03.09.2017 |
| keamanan-pembayaran.su | 03.09.2017 |
| braincdn.org | 04.09.2017 |
| sagecdn.org | 04.09.2017 |
| slickjs.org | 04.09.2017 |
| oakandfort.org | 10.09.2017 |
| citywlnery.org | 15.09.2017 |
| dobell.su | 04.10.2017 |
| childrensplayclothing.org | 31.10.2017 |
| jewsondirect.com | 05.11.2017 |
| shop-rnib.org | 15.11.2017 |
| closetlondon.org | 16.11.2017 |
| misshaus.org | 28.11.2017 |
| baterei-force.org | 01.12.2017 |
| kik-vape.org | 01.12.2017 |
| greatfurnituretradingco.org | 02.12.2017 |
| etradesupply.org | 04.12.2017 |
| replacemyremote.org | 04.12.2017 |
| all-about-sneakers.org | 05.12.2017 |
| mage-checkout.org | 05.12.2017 |
| nililotan.org | 07.12.2017 |
| lamoodbighat.net | 08.12.2017 |
| walletgear.org | 10.12.2017 |
| dahlie.org | 12.12.2017 |
| davidsfootwear.org | 20.12.2017 |
| blackriverimaging.org | 23.12.2017 |
| exrpesso.org | 02.01.2018 |
| taman.su | 09.01.2018 |
| pmtonline.su | 12.01.2018 |
| otocap.org | 15.01.2018 |
| christohperward.org | 27.01.2018 |
| coffeetea.org | 31.01.2018 |
| energycoffe.org | 31.01.2018 |
| energytea.org | 31.01.2018 |
| teacoffe.net | 31.01.2018 |
| adaptivecss.org | 01.03.2018 |
| coffeemokko.com | 01.03.2018 |
| londontea.net | 01.03.2018 |
| ukcoffe.com | 01.03.2018 |
| labbe.biz | 20.03.2018 |
| batterynart.com | 03.04.2018 |
| btosports.net | 09.04.2018 |
| chicksaddlery.net | 16.04.2018 |
| shoulderpay.org | 11.05.2018 |
| ar500arnor.com | 26.05.2018 |
| authorizecdn.com | 28.05.2018 |
| slickmin.com | 28.05.2018 |
| bannerbuzz.info | 03.06.2018 |
| kandypens.net | 08.06.2018 |
| mylrendyphone.com | 15.06.2018 |
| freshchat.info | 01.07.2018 |
| 3lift.org | 02.07.2018 |
| abtasty.net | 02.07.2018 |
| mechat.info | 02.07.2018 |
| zoplm.com | 02.07.2018 |
| zapaljs.com | 02.09.2018 |
| foodandcot.com | 15.09.2018 |
| freshdepor.com | 15.09.2018 |
| swapastore.com | 15.09.2018 |
| verywellfitnesse.com | 15.09.2018 |
| elegrina.com | 18.11.2018 |
| majsurplus.com | 19.11.2018 |
| top5value.com | 19.11.2018 |
Source: www.habr.com