Toeitiiti lava oi tatou uma e faʻaogaina auaunaga a faleoloa i luga ole laiga, o lona uiga e le o toe mamao pe mulimuli ane tatou te ono avea ma tagata afaina i JavaScript sniffers - tulafono faʻapitoa e faʻaogaina e le au osofaʻi i luga o le upega tafaʻilagi e gaoi ai faʻamatalaga kata faletupe, tuatusi, logins ma upu faʻaoga a tagata faʻaoga. .
Toeitiiti atoa le 400 o loʻo faʻaogaina le upega tafaʻilagi a le British Airways ma le telefoni feaveaʻi ua uma ona aʻafia i le sogisogi, faʻapea foʻi ma tagata asiasi i le upega tafaʻilagi a Peretania a le FILA taʻaloga tele ma le American ticket distributor Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - o nei ma le tele o isi faiga totogi na afaina.
O loʻo talanoa le au suʻesuʻe o le Threat Intelligence Group-IB Viktor Okorokov pe faʻafefea ona faʻaogaina e le sogisogi le code website ma gaoi faʻamatalaga totogi, faʻapea foʻi ma CRM latou te osofaia.
"Faamata'u natia"
Na tupu na mo se taimi umi na le iloa ai e le au suʻesuʻe faʻamaʻi siama JS, ma o faletupe ma faiga faʻapitoa e leʻi vaʻaia i latou o se lamatiaga ogaoga. Ma matua le aoga. Vaega-IB tagata tomai faapitoa 2440 faʻamaʻi faleoloa lugalaina, o latou tagata asiasi - o le aofaʻi e tusa ma le 1,5 miliona tagata i le aso - na lamatia i le fetuunai. Faatasi ai ma tagata afaina e le gata o tagata faʻaoga, ae faʻapea foʻi faleoloa i luga ole laiga, faiga totogi ma faletupe na tuʻuina atu kata faʻafefe.
O le Group-IB na avea ma suʻesuʻega muamua o le maketi pogisa mo tagata faʻafefe, o latou atinaʻe ma metotia o tupe, lea e aumaia ai le faitau miliona o tala ia latou foafoa. Na matou faailoaina 38 aiga o sogisogi, e na o le 12 na iloa muamua e tagata suʻesuʻe.
Seʻi o tatou mafaufau atili i aiga e fā o tagata sogisogi na suʻesuʻeina i le taimi o le suʻesuʻega.
ReactGet Aiga
Sniffers o le aiga ReactGet e faʻaaogaina e gaoia faʻamaumauga o kata faletupe i luga o nofoaga faʻatau i luga ole laiga. E mafai e le sniffer ona galue ma se numera tele o faiga totogi eseese o loʻo faʻaaogaina i luga o le saite: tasi le tau faʻatatau e tutusa ma le tasi faiga totogi, ma e mafai ona faʻaaogaina faʻamatalaga taʻitasi o le sogisogi e gaoia faʻamatalaga, faʻapea foʻi ma le gaoia o faʻamatalaga kata faletupe mai le totogiina. ituaiga o le tele o faiga totogi i le taimi e tasi, e pei o le mea e taʻua o le sniffer lautele. Na maua i nisi tulaga, e faia e tagata osofaʻi osofaʻiga phishing i luga o pule o faleoloa i luga ole laiga ina ia mafai ai ona maua le avanoa i le vaega o le pulega o le saite.
O se faʻasalalauga e faʻaaoga ai lenei aiga o faʻafefe na amata ia Me 2017; nofoaga o loʻo faʻaogaina CMS ma Magento, Bigcommerce, ma Shopify platforms na osofaia.
E faʻafefea ona faʻatinoina le ReactGet i totonu ole tulafono ole faleoloa ile initaneti
I le faʻaopoopoga i le faʻatinoina o le "faʻapitoa" o se tusitusiga e ala i se fesoʻotaʻiga, o loʻo faʻaogaina e le au faʻalapotopotoga o le aiga o ReactGet se auala faʻapitoa: faʻaaogaina le code JavaScript, latou te siaki pe o le tuatusi o loʻo i ai nei le tagata faʻaoga e fetaui ma tulaga faʻapitoa. O le tulafono leaga e na'o le fa'atinoina pe a iai le substring i le URL o iai nei siaki atu poʻo tasi la'asaga siaki, tasi itulau/, fafo/onepag, siaki / tasi, ckout/tasi. O le mea lea, o le sniffer code o le a faʻataunuʻuina tonu i le taimi e faʻaoga ai le tagata faʻaoga e totogi mo faʻatau ma faʻapipiʻi faʻamatalaga totogi i le fomu i luga o le saite.
O lenei sogisogi e faʻaaogaina se metotia e le masani ai. O le totogiina o le tagata manua ma faʻamatalaga patino e aoina faʻatasi ma faʻaoga faʻaoga faavae64, ona faʻaaogaina lea o le manoa e maua e fai ma parakalafa e lafo ai se talosaga i le upega tafaʻilagi a le au osofaʻi. O le tele o taimi, o le ala i le faitotoa e faʻataʻitaʻiina se faila JavaScript, mo se faʻataʻitaʻiga resp.js, data.js ma isi mea, ae o lo'o fa'aogaina fo'i feso'ota'iga i faila ata, GIF и JPG. O le uiga ese o le sogisogi na te faia se mea ata e fua le 1 i le 1 pika ma faʻaogaina le fesoʻotaʻiga na maua muamua e fai ma faʻamau. src Ata. O lona uiga, mo le tagata faʻaoga o se talosaga i fefaʻatauaiga o le a foliga mai o se talosaga mo se ata masani. O se metotia faʻapena na faʻaaogaina i le aiga ImageID o sniffers. E le gata i lea, o le metotia o le faʻaaogaina o se ata 1 i le 1 pika o loʻo faʻaaogaina i le tele o faʻamaumauga faʻamaumauga i luga ole laiga, lea e mafai foi ona faʻasesēina le tagata faʻaoga.
Su'esu'ega Fa'aliliuga
O le au'ili'iliga o vaega o lo'o fa'aogaina e le ReactGet sniffer operators na fa'aalia ai le tele o fa'aliliuga eseese o lenei aiga o tagata sogisogi. Fa'aliliuga e 'ese'ese i le i ai po'o le leai o se fa'alavelave, ma e le gata i lea, o sniffer ta'itasi ua mamanuina mo se faiga fa'apitoa e fa'agasolo ai le totogiina o pepa faletupe mo faleoloa i luga ole laiga. I le faʻavasegaina o le tau o le parakalafa e fetaui ma le numera numera, na maua ai e le au faʻapitoa a le Vaega-IB se lisi atoa o fesuiaiga o loʻo avanoa, ma e ala i igoa o faʻailoga o loʻo sailia e tagata taʻitasi i le itulau code, na latou iloa ai le faiga o totogi. o lo'o fa'atatau i ai le sogisogi.
Lisi o tagata sogisogi ma a latou faiga totogi tutusa
| Sniffer URL | Totogiina polokalama |
|---|---|
| Authorize.Net | |
| Cardsave | |
| Authorize.Net | |
| Authorize.Net | |
| eWAY Vave | |
| Authorize.Net | |
| Adyen | |
| USAePay | |
| Authorize.Net | |
| USAePay | |
| Authorize.Net | |
| Moneris | |
| USAePay | |
| PayPal | |
| SagePay | |
| Verisign | |
| PayPal | |
| mua | |
| Realex | |
| PayPal | |
| LinkPoint | |
| PayPal | |
| PayPal | |
| DataCash | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Moneris | |
| SagePay | |
| USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| Authorize.Net | |
| Moneris | |
| SagePay | |
| SagePay | |
| Chase Paymenttech | |
| Authorize.Net | |
| Adyen | |
| PsiGate | |
| Punavai Cyber | |
| ANZ eGate | |
| Realex | |
| USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| PayPal | |
| Realex | |
| SagePay | |
| PayPal | |
| Verisign | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Punavai Cyber | |
| Authorize.Net | |
| SagePay | |
| Realex | |
| Punavai Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Vave | |
| SagePay | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| Moneris | |
| Authorize.Net | |
| PayPal | |
| Verisign | |
| USAePay | |
| USAePay | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| mua | |
| Authorize.Net | |
| eWAY Vave | |
| SagePay | |
| Authorize.Net | |
| Braintree | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| mua | |
| Authorize.Net | |
| eWAY Vave | |
| SagePay | |
| Authorize.Net | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| SagePay | |
| Westpac PayWay | |
| PayFort | |
| PayPal | |
| Authorize.Net | |
| mua | |
| First Data Global Gateway | |
| PsiGate | |
| Authorize.Net | |
| Authorize.Net | |
| Moneris | |
| Authorize.Net | |
| SagePay | |
| Verisign | |
| Moneris | |
| PayPal | |
| LinkPoint | |
| Westpac PayWay | |
| Authorize.Net | |
| Moneris | |
| PayPal | |
| Adyen | |
| PayPal | |
| Authorize.Net | |
| USAePay | |
| EBizCharge | |
| Authorize.Net | |
| Verisign | |
| Verisign | |
| Authorize.Net | |
| PayPal | |
| Moneris | |
| Authorize.Net | |
| PayPal | |
| PayPal | |
| Westpac PayWay | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| PayPal | |
| PayFort | |
| Punavai Cyber | |
| PayPal Payflow Pro | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Authorize.Net | |
| mua | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Authorize.Net | |
| Authorize.Net | |
| PayPal | |
| Flint | |
| PayPal | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| mua | |
| Sebra Ga'o | |
| SagePay | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| eWAY Vave | |
| Adyen | |
| PayPal | |
| Auaunaga Faatauvaa QuickBooks | |
| Verisign | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Authorize.Net | |
| eWAY Vave | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Punavai Cyber | |
| Authorize.Net | |
| SagePay | |
| Realex | |
| Punavai Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Vave | |
| SagePay | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| Moneris | |
| Authorize.Net | |
| PayPal |
Sniffer password
O se tasi o faʻamanuiaga o le JavaScript sniffers o loʻo galue i le itu o le kalani o se upega tafaʻilagi o lo latou agavaʻa: faʻailoga leaga o loʻo faʻapipiʻiina i luga o le upega tafaʻilagi e mafai ona gaoia soʻo se ituaiga o faʻamatalaga, pe o faʻamatalaga totogi poʻo le saini ma le upega tafaʻilagi a se tagata faʻaoga. Na maua e le au fa'apitoa a le Vaega-IB se fa'ata'ita'iga o le sogisogi a le aiga ReactGet, na fa'atulaga e gaoi ai tuatusi imeli ma upu fa'aoga a tagata fa'aoga nofoaga.
Fesootaiga ma ImageID sniffer
I le taimi o suʻesuʻega o se tasi o faleoloa na aʻafia, na maua ai e faalua ona faʻamaʻi lana upega tafaʻilagi: faʻaopoopo i le tulafono leaga a le aiga ReactGet sniffer, na iloa ai le code o le ImageID family sniffer. O lenei fa'alava e mafai ona avea ma fa'amaoniga o lo'o fa'aogaina e le au fa'apipi'i i tua atu o sogisogi e lua ni metotia fa'apena e tui ai tulafono leaga.
Sniffer lautele
O se au'ili'iliga o se tasi o igoa fa'apitonu'u e feso'ota'i ma le ReactGet sniffer infrastructure na fa'aalia ai o le tagata lava lea e tasi na fa'amauina isi igoa e tolu. O vaega nei e tolu na fa'ata'ita'i i vaega o upegatafa'ilagi o le olaga moni ma sa fa'aoga muamua e fa'afeiloa'i ai tagata fa'afefe. A'o su'esu'eina le fa'ailoga o nofoaga fa'aletulafono e tolu, na maua ai se sogisogi e le o iloa, ma fa'ailoa atili ai o se fa'aleleia atili o le ReactGet sniffer. O lomiga uma na mataituina muamua o lenei aiga o sniffers na faʻatatau i se faiga e tasi e totogi ai, o lona uiga, e manaʻomia e taʻitasi faiga totogi se faʻapitoa faʻapitoa o le sniffer. Ae ui i lea, i lenei tulaga, na maua ai se faʻasalalauga lautele o le sniffer e mafai ona gaoia faʻamatalaga mai fomu e fesoʻotaʻi ma 15 faiga faʻapitoa totogi ma modules o nofoaga e-commerce mo le faia o totogi i luga ole laiga.
O lea la, i le amataga o le galuega, na suʻe ai e le sogisogi faʻailoga faavae o loʻo i ai faʻamatalaga patino a le tagata manua: igoa atoa, tuatusi faʻapitoa, numera telefoni.
Ona su'e lea e le sogisogi i luga o le 15 prefix eseese e fetaui ma faiga totogi eseese ma fa'aoga fa'ainitaneti.
O le isi, o faʻamatalaga patino a le tagata manua ma faʻamatalaga totogi na aoina faʻatasi ma auina atu i se nofoaga e pulea e le tagata osofaʻi: i lenei tulaga faʻapitoa, na maua ai ni faʻamatalaga se lua o le Universal ReactGet sniffer, o loʻo i luga o nofoaga eseese e lua. Ae ui i lea, o fa'aliliuga uma e lua na lafoina fa'amatalaga gaoia i le saite lava lea e tasi zoobashop.com.
Iloiloga o prefixes na faʻaaogaina e le sogisogi e suʻe ai fanua o loʻo i ai faʻamatalaga o tupe totogi a le tagata manua na mafai ai ona matou iloa o lenei faʻataʻitaʻiga sniffer na faʻatatau i faiga totogi nei:
- Authorize.Net
- Verisign
- Muamua Faʻamaumauga
- USAePay
- mua
- PayPal
- ANZ eGate
- Braintree
- DataCash (MasterCard)
- Realex Totogi
- PsiGate
- Heartland Totogi Faiga
O a mea faigaluega e fa'aaogaina e gaoi ai fa'amatalaga o totogi?
O le meafaigaluega muamua, na maua i le taimi o suʻesuʻega o atinaʻe a le au osofaʻi, e faʻaaogaina e faʻafefe ai tusitusiga leaga e nafa ma le gaoi o kata faletupe. Na maua se tusi bash e faʻaaoga ai le CLI o le poloketi i se tasi o 'au a le osofaʻiga e otometi le faanenefu o le code sniffer.
O le meafaigaluega lona lua na maua ua mamanuina e gaosia ai le code e nafa ma le utaina o le sniffer autu. O lenei meafaigaluega e gaosia ai le code JavaScript e siaki ai pe o loʻo i ai le tagata faʻaoga i luga o le itulau totogi e ala i le suʻeina o le tuatusi o loʻo i ai nei mo manoa siaki atu, taʻavale ma isi, ma afai e lelei le taunuuga, ona utaina lea e le code le sniffer autu mai le au osofaʻi. Ina ia natia gaioiga leaga, o laina uma, e aofia ai laina suʻega mo le fuafuaina o le itulau totogi, faʻapea foʻi ma se fesoʻotaʻiga i le sogisogi, o loʻo faʻaogaina e faʻaaoga ai. faavae64.
Osofaiga o le phishing
O se au'ili'iliga o feso'ota'iga feso'otaiga a le au osofa'i na fa'aalia ai e masani ona fa'aogaina e le vaega solitulafono le phishing e maua ai le avanoa i le vaega fa'afoe o le faleoloa i luga o le initaneti. E resitalaina e le au osofa'i se vaega e foliga tutusa ma le itu a se faleoloa, ona fa'apipi'i ai lea o se fa'ailoga fa'ailoga a le Magento administration panel i luga. Afai e manuia, o le a maua e le au osofaʻi le avanoa i le vaega o le pulega o le Magento CMS, lea e tuʻuina atu ai ia i latou le avanoa e faʻasaʻo ai vaega o le upega tafaʻilagi ma faʻatino se sogisogi e gaoi ai faʻamatalaga pepa aitalafu.
Aseta
| Igoa o le Igoa | Aso na maua/fa'aali |
|---|---|
| mediapack.info | 04.05.2017 |
| adsgetapi.com | 15.06.2017 |
| simcounter.com | 14.08.2017 |
| mageanalytics.com | 22.12.2017 |
| maxstatics.com | 16.01.2018 |
| reactjsapi.com | 19.01.2018 |
| mxcounter.com | 02.02.2018 |
| apitstatus.com | 01.03.2018 |
| orderracker.com | 20.04.2018 |
| tagtracking.com | 25.06.2018 |
| adsapigate.com | 12.07.2018 |
| trust-tracker.com | 15.07.2018 |
| fbstatspartner.com | 02.10.2018 |
| billgetstatus.com | 12.10.2018 |
| www.aldenmlilhouse.com | 20.10.2018 |
| balletbeautlful.com | 20.10.2018 |
| bargaljunkie.com | 20.10.2018 |
| payselector.com | 21.10.2018 |
| tagsmediaget.com | 02.11.2018 |
| hs-payments.com | 16.11.2018 |
| ordercheckpays.com | 19.11.2018 |
| geisseie.com | 24.11.2018 |
| gtmproc.com | 29.11.2018 |
| livegetpay.com | 18.12.2018 |
| sydneysalonsupplies.com | 18.12.2018 |
| newrelicnet.com | 19.12.2018 |
| nr-public.com | 03.01.2019 |
| cloudodesc.com | 04.01.2019 |
| ajaxstatic.com | 11.01.2019 |
| livecheckpay.com | 21.01.2019 |
| asianfoodgracer.com | 25.01.2019 |
G-Analytics Aiga
O lenei aiga o sniffers e faʻaaogaina e gaoi ai kata faʻatau mai faleoloa i luga ole laiga. O le igoa muamua lava na fa'aaogaina e le vaega na resitalaina ia Aperila 2016, lea e ono fa'ailoa mai ai na amata gaioiga a le vaega i le ogatotonu o le 2016.
I le tauvaga o loʻo i ai nei, o loʻo faʻaogaina e le vaega igoa faʻapitoa e faʻataʻitaʻi ai auaunaga moni, e pei o Google Analytics ma jQuery, faʻapipiʻi le gaioiga a tagata faʻafefe ma faʻamaumauga talafeagai ma igoa ole igoa e tutusa ma le tulafono. O nofoaga o loʻo faʻaogaina ai le Magento CMS na osofaʻia.
E fa'afefea ona fa'atinoina G-Analytics i totonu ole fa'ailoga ole faleoloa ile initaneti
O se uiga fa'apitoa o lenei aiga o le fa'aogaina lea o auala eseese e gaoia ai fa'amatalaga totogi a tagata. I le faaopoopo atu i le tuiina masani o le JavaScript code i le itu o tagata o tausia o le saite, sa faaaoga foi e le vaega solitulafono auala tui tulafono i le itu o le server o le saite, e pei o PHP scripts e faʻagasolo ai faʻamatalaga e ulufale ai tagata. O lenei metotia e matautia ona e faigata ai i tagata suʻesuʻe lona tolu ona suʻeina tulafono leaga. Na maua e tagata tomai faapitoa i le vaega-IB se faʻamatalaga o se sogisogi o loʻo faʻapipiʻiina i totonu o le code PHP a le upega tafaʻilagi, faʻaaogaina se vaega e fai ma faitotoa. dittm.org.
Na maua fo'i se fa'amatalaga muamua o le sogisogi o lo'o fa'aogaina le vaega lava e tasi e aoina ai fa'amatalaga gaoia dittm.org, ae o lenei lomiga e faʻamoemoe mo le faʻapipiʻiina i le itu o tagata o tausia o se faleoloa i luga ole laiga.
Na suia mulimuli ane e le vaega ana togafiti ma amata ona taulaʻi atili i le nanaina o gaioiga leaga ma faʻailoga.
I le amataga o le 2017, na amata ai e le kulupu ona faʻaogaina le vaega jquery-js.com, fa'afoliga e pei o se CDN mo le jQuery: pe a alu i le nofoaga o tagata osofa'i, e toe fa'afo'i le tagata fa'aoga i se nofoaga talafeagai jquery.com.
Ma i le ogatotonu o le 2018, na talia ai e le vaega le igoa ole igoa g-analytics.com ma amata ona faafoliga gaoioiga a le sogisogi e avea o se auaunaga Google Analytics talafeagai.
Su'esu'ega Fa'aliliuga
I le taimi o le auʻiliʻiliga o vaega na faʻaaogaina e teuina ai le code sniffer, na maua ai o le saite o loʻo i ai se numera tele o faʻaliliuga, e ese mai i le i ai o le faʻalavelave, faʻapea foʻi ma le i ai poʻo le leai o se code le mafai ona faʻapipiʻiina e faʻaopoopo i le faila e faʻalavelave ai le mafaufau. ma nana tulafono leaga.
Aofa'i i luga ole saite jquery-js.com E ono ituaiga o sogisogi na iloa. O nei tagata sogisogi e auina atu faʻamatalaga gaoia i se tuatusi o loʻo i luga o le upega tafaʻilagi tutusa ma le sogisogi lava ia: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Mulimuli ane vaega g-analytics.com, faʻaaogaina e le vaega i osofaʻiga talu mai le ogatotonu o le 2018, o loʻo avea ma fale teu oloa mo le tele o faʻafefe. I le aotelega, 16 ituaiga eseese o le sogisogi na maua. I lenei tulaga, o le faitotoa mo le auina atu o faʻamatalaga gaoia na faʻaalia e avea o se fesoʻotaʻiga i se faʻasologa o ata GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Fa'atauga o fa'amaumauga na gaoia
E fa'atupe e le vaega solitulafono fa'amaumauga na gaoia e ala i le fa'atauina atu o kata e ala i se faleoloa i lalo o le eleele fa'apitoa e tu'uina atu auaunaga i tagata fai pepa. O le suʻesuʻeina o faʻaoga o loʻo faʻaaogaina e le au osofaʻi na mafai ai ona matou iloa lena mea google-analytics.cm na resitalaina e le tagata lava e tasi e pei o le domain cardz.vc. Domain cardz.vc e faasino i se faleoloa faatau atu gaoia kata faletupe Cardsurfs (Flysurfs), lea na maua le lauiloa i tua i aso o le gaoioiga o le faavae fefaatauaiga i lalo o le eleele AlphaBay o se faleoloa faatau atu kata faletupe gaoia e faaaoga ai se sogisogi.
Iloiloina le vaega analytical.is, o loʻo i luga o le 'auʻaunaga lava e tasi e pei o faʻaoga e faʻaaogaina e tagata faʻafefe e aoina ai faʻamatalaga gaoia, na maua ai e le au faʻapitoa a le Vaega-IB se faila o loʻo i ai ni ogalaau gaoi kuki, lea e foliga mai na lafoaia mulimuli ane e le tagata atiaʻe. O se tasi o fa'amaumauga i totonu o le ogalaau o lo'o i ai se vaega iozoz.com, lea na faʻaaogaina muamua i se tasi o sniffers o loʻo galue i le 2016. Masalo, o lenei vaega na faʻaaogaina muamua e se tagata osofaʻi e aoina kata na gaoia e faʻaaoga ai se sogisogi. O lenei vaega sa resitalaina i se tuatusi imeli [imeli puipuia], lea sa fa'aogaina fo'i e resitala ai vaega cardz.su и cardz.vc, e fesoʻotaʻi ma le faleoloa Cardsurfs.
E tusa ai ma faʻamatalaga na maua, e mafai ona manatu o le G-Analytics aiga o sniffers ma le faleoloa i lalo o le eleele o loʻo faʻatau atu kata faletupe Cardsurfs o loʻo pulea e tagata lava e tasi, ma o le faleoloa e faʻaaogaina e faʻatau atu kata faletupe na gaoia e faʻaaoga ai le sogisogi.
Aseta
| Igoa o le Igoa | Aso na maua/fa'aali |
|---|---|
| iozoz.com | 08.04.2016 |
| dittm.org | 10.09.2016 |
| jquery-js.com | 02.01.2017 |
| g-analytics.com | 31.05.2018 |
| google-analytics.is | 21.11.2018 |
| su'esu'e.to | 04.12.2018 |
| google-analytics.to | 06.12.2018 |
| google-analytics.cm | 28.12.2018 |
| analytical.is | 28.12.2018 |
| googlc-analytics.cm | 17.01.2019 |
Aiga Illum
Illum o se aiga o faʻafefe faʻaaogaina e osofaʻia faleoloa i luga ole laiga o loʻo faʻaogaina le Magento CMS. I le faaopoopo atu i le faʻalauiloaina o tulafono leaga, o loʻo faʻaogaina foi e le au faʻatautaia lenei faʻafefete le faʻaofiina o pepa faʻamaonia faʻamaonia atoatoa e auina atu faʻamatalaga i faitotoʻa e pulea e tagata osofaʻi.
Pe a suʻesuʻeina le faʻaogaina o fesoʻotaʻiga fesoʻotaʻiga na faʻaaogaina e le au faʻatautaia o lenei sniffer, o se numera tele o tusitusiga leaga, faʻaoga, faʻailoga tupe totogi, faʻapea foʻi ma se faʻaputuga o faʻataʻitaʻiga faʻatasi ai ma faʻafefe leaga mai tagata tauva na matauina. Faʻavae i luga o faʻamatalaga e uiga i aso o faʻaaliga o igoa ole igoa o loʻo faʻaaogaina e le vaega, e mafai ona faʻapea na amata le tauvaga i le faaiuga o le 2016.
E faʻafefea ona faʻaogaina le Illum i totonu ole tulafono ole faleoloa i luga ole laiga
O fa'aliliuga muamua o le sogisogi na maua na fa'apipi'i sa'o i totonu o le fa'ailoga o le nofoaga fa'aletonu. O fa'amaumauga na gaoia na lafo i cdn.illum[.]pw/records.php, o le faitotoʻa na faʻaogaina e faʻaoga faavae64.
Mulimuli ane, na maua ai se faʻapipiʻiina o le sogisogi e faʻaaogaina se isi faitotoa - records.nstatistics[.]com/records.php.
E tusa ai Willem de Groot, o le talimalo lava lea e tasi na faʻaaogaina i le sniffer, lea na faʻatinoina i luga , e umia e le vaega faaupufai Siamani CSU.
Iloiloga o le upega tafaʻilagi a le au osofaʻi
Na maua ma su'esu'eina e le au fa'apitoa a le Vaega-IB se upega tafa'ilagi o lo'o fa'aogaina e lenei vaega solitulafono e teu ai meafaigaluega ma aoina fa'amatalaga gaoia.
Faatasi ai ma meafaigaluega na maua i luga o le au osofaʻiga o tusitusiga ma faʻaoga mo le faʻateleina o avanoa i le Linux OS: mo se faʻataʻitaʻiga, le Linux Privilege Escalation Check Script na fausia e Mike Czumak, faʻapea foʻi ma se faʻaoga mo CVE-2009-1185.
Na faʻaogaina e le au osofaʻi ni faʻaoga se lua e osofaʻia ai faleoloa i luga ole laiga: mafai ona tui fa'ailoga leaga i totonu core_config_data e ala i le faʻaaogaina o le CVE-2016-4010, fa'aogaina se fa'aletonu RCE i fa'apipi'i mo CMS Magento, fa'atagaina tulafono fa'atonu e fa'atino i luga o se 'upega tafa'ilagi vaivai.
E le gata i lea, i le taimi o le auʻiliʻiliga o le 'auʻaunaga, na maua ai faʻataʻitaʻiga eseese o tagata faʻafefe ma faʻailoga tupe totogi, faʻaaogaina e tagata osofaʻi e aoina faʻamatalaga totogi mai nofoaga faʻafefe. E pei ona mafai ona e vaʻaia mai le lisi o loʻo i lalo, o nisi tusitusiga na faia taʻitoʻatasi mo saite taʻitasi taʻavale, aʻo faʻaogaina se fofo lautele mo nisi CMS ma faitotoa totogi. Mo se faʻataʻitaʻiga, tusitusiga segapay_standart.js и segapay_onpage.js fuafuaina mo le faʻatinoga i luga o nofoaga e faʻaaoga ai le Sage Pay payment gateway.
Lisi o tusitusiga mo auala eseese o totogi
| Tusitala | Faitotoa totogi |
|---|---|
| [.]pw/mjs_special/visiondirect.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/topdierenshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/tiendalenovo.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/pro-bolt.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/plae.co.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/ottolenghi.co.uk.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/oldtimecandy.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/mylook.ee.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/luluandsky.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/julep.com.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/gymcompany.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/grotekadoshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/fushi.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/fareastflora.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/compuindia.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs/segapay_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/segapay_onpage.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/replace_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs/all_inputs.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/add_inputs_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/magento/payment_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/magento/payment_redirect.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_redcrypt.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_forminsite.js | //paymentnow[.]tk/?payment= |
Talimalo totogi nei[.]tk, fa'aaogaina e fai ma faitoto'a i se tusitusiga payment_forminsite.js, na maua e pei o mataupuAltName i le tele o tusi faamaonia e fesoʻotaʻi ma le CloudFlare auaunaga. E le gata i lea, o le talimalo sa i ai se tusitusiga leaga.js. Faʻamasino i le igoa o le tusitusiga, e mafai ona faʻaaogaina e avea o se vaega o le faʻaogaina o le CVE-2016-4010, faʻafetai e mafai ai ona tuʻuina le faʻailoga leaga i le vae o se nofoaga o loʻo faʻaogaina CMS Magento. Na faʻaaogaina e le talimalo lenei tusitusiga e fai ma faitotoa request.requestnet[.]tkfa'aaogaina le tusipasi tutusa e pei o le talimalo totogi nei[.]tk.
Pepa fa'atumu tupe totogi
O le ata o lo'o i lalo o lo'o fa'aalia ai se fa'ata'ita'iga o se fomu mo le fa'aofiina o fa'amaumauga o kata. O lenei fomu sa fa'aoga e fa'aulu ai se faleoloa i luga ole laiga ma gaoi fa'amaumauga o kata.
O le ata o loʻo i lalo o loʻo faʻaalia ai se faʻataʻitaʻiga o se pepa totogi PayPal pepelo na faʻaaogaina e tagata osofaʻi e faʻafefe ai nofoaga ma lenei auala totogi.
Aseta
| Igoa o le Igoa | Aso na maua/fa'aali |
|---|---|
| cdn.illum.pw | 27/11/2016 |
| records.nstatistics.com | 06/09/2018 |
| request.payrightnow.cf | 25/05/2018 |
| paymentnow.tk | 16/07/2017 |
| payment-line.tk | 01/03/2018 |
| paymentpal.cf | 04/09/2017 |
| requestnet.tk | 28/06/2017 |
CoffeeMokko aiga
O le aiga CoffeMokko o sogisogi, ua fuafuaina e gaoi kata faletupe mai tagata faʻaoga faleoloa i luga ole laiga, ua faʻaaogaina talu mai le itiiti ifo ia Me 2017. E foliga mai, o le au faʻatautaia o lenei aiga o sogisogi o le vaega solitulafono Vaega 1, faʻamatalaina e RiskIQ faʻapitoa i le 2016. O nofoaga o loʻo faʻaogaina CMSs e pei o Magento, OpenCart, WordPress, osCommerce, ma Shopify na osofaʻia.
E fa'afefea ona fa'atinoina le CoffeMokko i totonu ole tulafono ole faleoloa ile initaneti
O lo'o fa'atinoina e lenei aiga ni fa'ailoga tulaga ese mo fa'ama'i ta'itasi: o le faila sniffer o lo'o i totonu o le lisi. src poʻo js i luga o le 'auʻaunaga a le au osofaʻi. O le faʻapipiʻiina i totonu o le code site e faʻatinoina e ala i se fesoʻotaʻiga tuusaʻo i le sniffer.
O le sniffer code e fa'amalo ai igoa ole fomu e mana'omia ona gaoia ai fa'amaumauga. E siaki foi e le sniffer pe o i ai le tagata faʻaoga i luga o le itulau totogi e ala i le siakiina o le lisi o upu autu ma le tuatusi o loʻo iai nei.
O nisi o lomiga na maua o le sogisogi na fa'anenefu ma o lo'o i ai se manoa fa'ailoga lea na teuina ai le tele o punaoa: o lo'o i ai igoa o fa'ailoga mo faiga fa'atupe eseese, fa'apea fo'i ma le tuatusi o le faitoto'a e tatau ona lafo i ai fa'amaumauga na gaoia.
O faʻamatalaga o tupe totogi na gaoia na lafoina i se tusitusiga i luga o le 'auʻaunaga a le au osofaʻi i luga o le ala /savePayment/index.php poʻo /tr/index.php. Masalo, o lenei tusitusiga e faʻaaogaina e auina atu ai faʻamatalaga mai le faitotoʻa i le 'auʻaunaga autu, lea e tuʻufaʻatasia ai faʻamatalaga mai tagata sniffers uma. Ina ia natia faʻamatalaga tuʻuina atu, o faʻamatalaga uma o tupe totogi a le tagata manua o loʻo faʻapipiʻiina e faʻaoga faavae64, ona tula'i mai ai lea o nisi o mea e sui ai:
- ua suia le uiga "e" i le ":"
- ua suia le faailoga "w" i le "+"
- ua suia le uiga "o" i le "%"
- o le uiga "d" ua suia i le "#"
- o le uiga "a" ua suia i le "-"
- o le faailoga "7" ua suia i le "^"
- o le uiga "h" ua suia i le "_"
- ua suia le faailoga "T" i le "@"
- o le uiga "0" ua suia i le "/"
- o le uiga "Y" ua suia i le "*"
O se taunuuga o le suia o uiga fa'ailoga fa'aoga faavae64 O faʻamaumauga e le mafai ona faʻavasegaina e aunoa ma le faia o le suiga faʻasolo.
O le mea lea e foliga mai o se vaega o le sniffer code e leʻi faʻafefeteina:
Su'esu'ega Atina'e
I le amataga o faʻasalalauga, na faʻaigoaina e le au osofaʻi igoa faʻapitoa e tutusa ma igoa o nofoaga faʻatau i luga ole laiga. O la latou vaega e mafai ona ese mai le fa'atulafonoina tasi i le tasi fa'ailoga po'o le isi TLD. Na fa'aogaina nofoaga resitala e teu ai le code sniffer, o se feso'ota'iga na fa'apipi'i i totonu o le code store.
O lenei vaega na faʻaaogaina foi igoa ole igoa e foliga tutusa ma igoa o le lauiloa jQuery plugins (slickjs[.]org mo nofoaga o loʻo faʻaogaina ai le plugin slick.js), faitotoa totogi (sagecdn[.]org mo nofoaga o loʻo faʻaogaina ai le Sage Pay payment system).
Mulimuli ane, na amata ai e le kulupu ona faia ni domains o latou igoa e leai se mea e fai i le itu o le faleoloa poʻo le autu o le faleoloa.
O vaega ta'itasi e fetaui ma se 'upega tafa'ilagi na fausia ai le lisi /js poʻo /src. Na teu tusitusiga Sniffer i le lisi lenei: tasi le sogisogi mo fa'ama'i fou ta'itasi. O le sogisogi na faʻapipiʻiina i totonu o le upega tafaʻilagi code e ala i se fesoʻotaʻiga tuusaʻo, ae i se tulaga e le masani ai, na faʻafeiloaʻi e le au osofaʻi se tasi o faila o le upega tafaʻilagi ma faʻaopoopo i ai le code leaga.
Iloiloga Fa'ailoga
Muamua algorithm obfuscation
I nisi o faʻataʻitaʻiga na maua o le sogisogi o lenei aiga, o le code na faʻafefeteina ma o loʻo i ai faʻamatalaga faʻailoga e manaʻomia mo le sogisogi e galue ai: aemaise lava, le tuatusi faitotoʻa sogisogi, se lisi o faʻailoga pepa totogi, ma i nisi tulaga, le code o se faʻailoga pepelo. pepa totogi. I le code i totonu o le galuega, o punaoa na faʻapipiʻiina e faʻaaoga ai XOR e ala i le ki na pasia e fai ma finauga i le galuega lava e tasi.
E ala i le decrypting le manoa ma le ki talafeagai, tulaga ese mo faataitaiga taitasi, e mafai ona e maua se manoa o loʻo i ai manoa uma mai le code sniffer e vavaeeseina e se uiga vavae.
Obfuscation algorithm lona lua
I faʻataʻitaʻiga mulimuli ane o sniffers o lenei aiga, na faʻaaogaina ai se masini faʻafefete ese: i lenei tulaga, o faʻamaumauga na faʻailogaina e faʻaaoga ai se algorithm na tusia e le tagata lava ia. O se manoa o loʻo i ai faʻamatalaga faʻailoga e manaʻomia mo le sogisogi e faʻagaioi ai na pasia e fai ma finauga i le faʻaogaina o galuega.
I le fa'aogaina o le masini su'esu'e, e mafai ona e fa'ailogaina fa'amatalaga fa'ailoga ma maua se fa'asologa o lo'o i ai punaoa fa'afefe.
So'oga i osofa'iga muamua a MageCart
I le taimi o suʻesuʻega o se tasi o vaega o loʻo faʻaaogaina e le vaega e fai ma faitotoa e aoina ai faʻamatalaga gaoia, na maua ai o lenei vaega o loʻo faʻapipiʻiina se atinaʻe mo le gaoi aitalafu, e tutusa ma le faʻaaogaina e le Vaega 1, o se tasi o vaega muamua, e RiskIQ fa'apitoa.
E lua faila na maua i luga o le talimalo a le aiga CoffeMokko o sogisogi:
- mage.js - faila o loʻo i ai le vaega 1 sniffer code ma tuatusi faitotoa js-cdn.link
- mag.php — PHP script e nafa ma le aoina o faamatalaga na gaoia e le sogisogi
I totonu o le faila mage.js
Na fa'amauina fo'i e fa'apea, o vaega muamua na fa'aaogaina e le vaega i tua atu o le aiga CoffeMokko o sogisogi na lesitala i le aso 17 o Me, 2017:
- sooga-js[.]sootaga
- info-js[.]sootaga
- track-js[.]sootaga
- map-js[.]sootaga
- smart-js[.]so'otaga
O le faatulagaga o nei igoa ole igoa e fetaui ma le Vaega 1 igoa ole igoa na faʻaaogaina ile 2016 osofaʻiga.
E tusa ai ma mea moni na maua, e mafai ona manatu o loʻo i ai se fesoʻotaʻiga i le va o tagata faʻatautaia le CoffeMokko sniffers ma le vaega solitulafono Vaega 1. Masalo, na mafai e le aufaipisinisi CoffeMokko ona nono mea faigaluega ma polokalama mai i latou muamua e gaoi kata. Peitai, e foliga mai o le vaega solitulafono o loo i tua o le faaaogaina o le aiga CoffeMokko o sogisogi, o tagata lava ia na faia osofaiga a le Vaega 1. Ina ua maeʻa le faasalalauina o le uluai lipoti i gaioiga a le vaega solitulafono, o latou igoa uma o le vaega sa i ai. poloka ma o meafaigaluega sa suʻesuʻeina auiliili ma faʻamatalaina. Na faamalosia le vaega e fai se malologa, faʻaleleia ana meafaigaluega i totonu ma toe tusi le code sniffer ina ia faʻaauau ana osofaʻiga ma tumau ai le le iloa.
Aseta
| Igoa o le Igoa | Aso na maua/fa'aali |
|---|---|
| sootaga-js.link | 17.05.2017 |
| info-js.link | 17.05.2017 |
| track-js.link | 17.05.2017 |
| map-js.link | 17.05.2017 |
| atamai-js.link | 17.05.2017 |
| adorebeauty.org | 03.09.2017 |
| saogalemu-totogi.su | 03.09.2017 |
| braincdn.org | 04.09.2017 |
| sagecdn.org | 04.09.2017 |
| slickjs.org | 04.09.2017 |
| oakandfort.org | 10.09.2017 |
| citywlnery.org | 15.09.2017 |
| dobell.su | 04.10.2017 |
| childrensplayclothing.org | 31.10.2017 |
| jewsondirect.com | 05.11.2017 |
| shop-rnib.org | 15.11.2017 |
| closetlondon.org | 16.11.2017 |
| misshaus.org | 28.11.2017 |
| battery-force.org | 01.12.2017 |
| kik-vape.org | 01.12.2017 |
| greatfurnituretradingco.org | 02.12.2017 |
| etradesupply.org | 04.12.2017 |
| replacemyremote.org | 04.12.2017 |
| all-about-sneakers.org | 05.12.2017 |
| mage-checkout.org | 05.12.2017 |
| nililotan.org | 07.12.2017 |
| lamoodbighat.net | 08.12.2017 |
| walletgear.org | 10.12.2017 |
| dahlie.org | 12.12.2017 |
| davidsfootwear.org | 20.12.2017 |
| blackriverimaging.org | 23.12.2017 |
| exrpesso.org | 02.01.2018 |
| paka.su | 09.01.2018 |
| pmtonline.su | 12.01.2018 |
| otocap.org | 15.01.2018 |
| christohperward.org | 27.01.2018 |
| coffeetea.org | 31.01.2018 |
| energycoffe.org | 31.01.2018 |
| energytea.org | 31.01.2018 |
| teacoffe.net | 31.01.2018 |
| adaptivecss.org | 01.03.2018 |
| coffemokko.com | 01.03.2018 |
| londontea.net | 01.03.2018 |
| ukcoffe.com | 01.03.2018 |
| labbe.biz | 20.03.2018 |
| batterynart.com | 03.04.2018 |
| btosports.net | 09.04.2018 |
| chicksaddlery.net | 16.04.2018 |
| totogipay.org | 11.05.2018 |
| ar500arnor.com | 26.05.2018 |
| authorizecdn.com | 28.05.2018 |
| slickmin.com | 28.05.2018 |
| bannerbuzz.info | 03.06.2018 |
| kandypens.net | 08.06.2018 |
| mylrendyphone.com | 15.06.2018 |
| freshchat.info | 01.07.2018 |
| 3lift.org | 02.07.2018 |
| abtasty.net | 02.07.2018 |
| mechat.info | 02.07.2018 |
| zoplm.com | 02.07.2018 |
| zapaljs.com | 02.09.2018 |
| foodandcot.com | 15.09.2018 |
| freshdepor.com | 15.09.2018 |
| swapastore.com | 15.09.2018 |
| verywellfitnesse.com | 15.09.2018 |
| elegrina.com | 18.11.2018 |
| majsurplus.com | 19.11.2018 |
| top5value.com | 19.11.2018 |
puna: www.habr.com