Anenge mumwe nemumwe wedu anoshandisa masevhisi ezvitoro zvepamhepo, izvo zvinoreva kuti nekukurumidza kana gare gare isu tinomhanyisa njodzi yekuve munhu akabatwa neJavaScript sniffers - yakakosha kodhi iyo vanorwisa vanopinza muwebhusaiti kuba data yekadhi rebhangi, kero, mazita ekushandisa uye mapassword. .
Vanoda kusvika mazana mana ezviuru vashandisi vewebhusaiti yeBritish Airways uye nharembozha yakatokanganiswa nevanhuhwi, pamwe nevashanyi vewebhusaiti yeBritish yehofori yemitambo FILA uye mushambadzi wetikiti wekuAmerica Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - aya nemamwe akawanda masisitimu ekubhadhara akatapukirwa.
Threat Intelligence Boka-IB muongorori Viktor Okorokov anotaura nezve mapindiro evanofemba vanopinza kodhi yewebhusaiti voba ruzivo rwekubhadhara, pamwe nekuti maCRM avanorwisa.
"Yakavanzika kutyisidzira"
Zvakaitika kuti kwenguva yakareba JS-sniffers yakaramba isingaonekwi nevanopikisa anti-virus, uye mabhangi uye maitiro ekubhadhara haana kuvaona sekutyisidzira kwakakomba. Uye zvachose pasina. Boka-IB Nyanzvi 2440 vane hutachiona hwezvitoro zvepamhepo, vane vashanyi - vanosvika miriyoni 1,5 pazuva - vaive panjodzi yekukanganisa. Pakati pevakabatwa havasi vashandisi chete, asiwo zvitoro zvepamhepo, masisitimu ekubhadhara uye mabhangi akabudisa makadhi akanganisa.
Boka-IB rakave chidzidzo chekutanga chemusika werima wevapfuri, zvivakwa zvavo uye nzira dzekuita mari, vachiunza mamirioni emadhora kuvagadziri vavo. Takaona mhuri makumi matatu nesere dzinofemba, idzo gumi nembiri chete dzaimbozivikanwa nevaongorori.
Ngatigarei zvakadzama pamhuri ina dzevanofemba dzakadzidzwa mukati mekudzidza.
ReactGet mhuri
Sniffers emhuri yeReactGet anoshandiswa kuba data rekadhi rebhangi panzvimbo dzekutenga online. Iyo sniffer inogona kushanda nenhamba yakakura yeakasiyana masisitimu ekubhadhara anoshandiswa pasaiti: imwe parameter kukosha inoenderana neyekubhadhara imwe system, uye munhu anoonekwa shanduro dzemunhu anofema anogona kushandiswa kuba zvitupa, pamwe nekubira kadhi rebhangi data kubva kune mafomu ekubhadhara emamwe masisitimu ekubhadhara kamwechete, seanonzi universal sniffer. Zvakaonekwa kuti mune dzimwe nguva, vanorwisa vanoita phishing kurwisa vatariri vezvitoro zvepamhepo kuitira kuti vawane mukana wekutonga saiti.
Mushandirapamwe unoshandisa mhuri iyi yevanonhuwa wakatanga muna Chivabvu 2017. Nzvimbo dzinomhanyisa CMS nemapuratifomu Magento, Bigcommerce, Shopify dzakarwiswa.
Maitiro eReactGet akaiswa mukati mekodhi yechitoro chepamhepo
Pamusoro peiyo "classic" script jekiseni nelink, ReactGet mhuri sniffer vanoshanda vanoshandisa yakakosha hunyanzvi: vachishandisa JavaScript kodhi, inotarisa kana kero iripo uko mushandisi inosangana neimwe nzira. Iyo yakashata kodhi inomhanya chete kana iyo iripo URL ine substring buda kana nhanho imwe kubuda, peji rimwe/, kunze/onepag, kubuda/imwe, ckout/one. Nekudaro, iyo sniffer kodhi ichaitwa chaizvo panguva iyo mushandisi anobhadhara kutenga uye anoisa ruzivo rwekubhadhara mufomu iri pasaiti.
Uyu wekufemba anoshandisa nzira isiri-yakajairwa. Iyo yekubhadhara uye yemunhu data yemunhu akabatwa inounganidzwa pamwechete, encoded uchishandisa base64, uye ipapo tambo inoguma inoshandiswa separameter kutumira chikumbiro kune yakaipa saiti. Kazhinji, nzira yekugedhi inotevedzera JavaScript faira, semuenzaniso resp.js, data.js zvichingodaro, asi zvinongedzo kumafaira emufananidzo zvinoshandiswawo, GIF и JPG. Chinoshamisa ndechekuti mufesi anogadzira chinhu chine saizi ye1 ne1 pixel uye anoshandisa chinongedzo chakambowanikwa separameter. Src Images. Ndiko kuti, kumushandisi, chikumbiro chakadaro mumigwagwa chichaita sechikumbiro chemufananidzo wenguva dzose. Imwe nzira yakafanana yakashandiswa mumhuri ye ImageID yevanofemba. Pamusoro pezvo, iyo 1x1 pixel yemufananidzo nzira inoshandiswa mune dzakawanda zviri pamutemo online analytics zvinyorwa, izvo zvinogona zvakare kutsausa mushandisi.
Version Analysis
Ongororo yenzvimbo dzinoshanda dzinoshandiswa neReactGet sniffer operators dzakaratidza akawanda akasiyana emhuri iyi yevanofemba. Mavhezheni anosiyana mukuvapo kana kusavapo kwebfuscation, uye nekuwedzera, imwe neimwe sniffer yakagadzirirwa imwe nzira yekubhadhara iyo inogadzirisa kubhadhara kadhi rebhangi kuzvitoro zvepamhepo. Mushure mekugadzirisa kuburikidza nekukosha kweparameter inoenderana nenhamba yeshanduro, Boka-IB nyanzvi dzakagamuchira runyoro rwakakwana rwemhando dziripo dzekunhuhwidza, uye nemazita emafomu emafomu anotsvagwa nemufesi wega wega mukodhi yepeji, vakasarudza masisitimu ekubhadhara. kuti munhu anofemba anonanga.
Rondedzero yevanosniffer uye yavo inowirirana masystem ekubhadhara
| Sniffer URL | Kubhadhara system |
|---|---|
| Kwirisa.Net | |
| Cardsave | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| eWAY Rapid | |
| Kwirisa.Net | |
| Adyen | |
| USAePay | |
| Kwirisa.Net | |
| USAePay | |
| Kwirisa.Net | |
| Moneris | |
| USAePay | |
| PayPal | |
| SagePay | |
| Verisign | |
| PayPal | |
| mutsetse | |
| Realex | |
| PayPal | |
| LinkPoint | |
| PayPal | |
| PayPal | |
| datacash | |
| PayPal | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Verisign | |
| Kwirisa.Net | |
| Moneris | |
| SagePay | |
| USAePay | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| ANZ eGate | |
| Kwirisa.Net | |
| Moneris | |
| SagePay | |
| SagePay | |
| Chase Kubhadhara | |
| Kwirisa.Net | |
| Adyen | |
| PsiGate | |
| Cyber Source | |
| ANZ eGate | |
| Realex | |
| USAePay | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| ANZ eGate | |
| PayPal | |
| PayPal | |
| Realex | |
| SagePay | |
| PayPal | |
| Verisign | |
| Kwirisa.Net | |
| Verisign | |
| Kwirisa.Net | |
| ANZ eGate | |
| PayPal | |
| Cyber Source | |
| Kwirisa.Net | |
| SagePay | |
| Realex | |
| Cyber Source | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Rapid | |
| SagePay | |
| SagePay | |
| Verisign | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| First Data Global Gateway | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Moneris | |
| Kwirisa.Net | |
| PayPal | |
| Verisign | |
| USAePay | |
| USAePay | |
| Kwirisa.Net | |
| Verisign | |
| PayPal | |
| Kwirisa.Net | |
| mutsetse | |
| Kwirisa.Net | |
| eWAY Rapid | |
| SagePay | |
| Kwirisa.Net | |
| Braintree | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Kwirisa.Net | |
| PayPal | |
| Kwirisa.Net | |
| Verisign | |
| PayPal | |
| Kwirisa.Net | |
| mutsetse | |
| Kwirisa.Net | |
| eWAY Rapid | |
| SagePay | |
| Kwirisa.Net | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Kwirisa.Net | |
| PayPal | |
| Kwirisa.Net | |
| Verisign | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| SagePay | |
| SagePay | |
| Westpac PayWay | |
| payfort | |
| PayPal | |
| Kwirisa.Net | |
| mutsetse | |
| First Data Global Gateway | |
| PsiGate | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Moneris | |
| Kwirisa.Net | |
| SagePay | |
| Verisign | |
| Moneris | |
| PayPal | |
| LinkPoint | |
| Westpac PayWay | |
| Kwirisa.Net | |
| Moneris | |
| PayPal | |
| Adyen | |
| PayPal | |
| Kwirisa.Net | |
| USAePay | |
| EBizCharge | |
| Kwirisa.Net | |
| Verisign | |
| Verisign | |
| Kwirisa.Net | |
| PayPal | |
| Moneris | |
| Kwirisa.Net | |
| PayPal | |
| PayPal | |
| Westpac PayWay | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| SagePay | |
| Verisign | |
| Kwirisa.Net | |
| PayPal | |
| payfort | |
| Cyber Source | |
| PayPal PayflowPro | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Verisign | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| SagePay | |
| Kwirisa.Net | |
| mutsetse | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Verisign | |
| PayPal | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| SagePay | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| PayPal | |
| Flint | |
| PayPal | |
| SagePay | |
| Verisign | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| mutsetse | |
| Mafuta Mbizi | |
| SagePay | |
| Kwirisa.Net | |
| First Data Global Gateway | |
| Kwirisa.Net | |
| eWAY Rapid | |
| Adyen | |
| PayPal | |
| QuickBooks Merchant Services | |
| Verisign | |
| SagePay | |
| Verisign | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| SagePay | |
| Kwirisa.Net | |
| eWAY Rapid | |
| Kwirisa.Net | |
| ANZ eGate | |
| PayPal | |
| Cyber Source | |
| Kwirisa.Net | |
| SagePay | |
| Realex | |
| Cyber Source | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Rapid | |
| SagePay | |
| SagePay | |
| Verisign | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| First Data Global Gateway | |
| Kwirisa.Net | |
| Kwirisa.Net | |
| Moneris | |
| Kwirisa.Net | |
| PayPal |
Password sniffer
Imwe yemabhenefiti eJavaScript sniffers anoshanda kudivi remutengi wewebhusaiti kuita kwayo kwakasiyana-siyana: yakaipa kodhi yakamisikidzwa pawebhusaiti inogona kuba chero rudzi rwe data, ingave ruzivo rwekubhadhara kana login uye password kubva mushandisi account. Boka-IB nyanzvi dzakawana muenzaniso wekufemba wemhuri yeReactGet, yakagadzirirwa kuba makero eemail nemapassword evashandisi vesaiti.
Kupindirana ne ImageID mufefesi
Munguva yekuongororwa kweimwe yezvitoro zvine hutachiona, zvakaonekwa kuti webhusaiti yayo yakatapukirwa kaviri: kunze kweiyo yakaipa kodhi yeReactGet mhuri sniffer, iyo kodhi yemhuri yeImageID yemhuri yakawanikwa. Kupindirana uku kunogona kuve humbowo hwekuti vashandisi vari kuseri kwevanuhwi vari kushandisa nzira dzakafanana kupinza kodhi yakaipa.
Universal sniffer
Munguva yekuongorora kweimwe yemazita emazita ane hukama neReactGet sniffer zvivakwa, zvakaonekwa kuti mushandisi mumwechete akanyoresa mamwe matatu mazita edomasi. Aya madomasi matatu akateedzera madomasi enzvimbo dzehupenyu chaihwo uye aimboshandiswa kugamuchira vanofembedza. Pakuongorora kodhi yemasaiti matatu ari pamutemo, munhu asingazivikanwe akawanikwa, uye kumwe kuongorora kwakaratidza kuti iyi ishanduro yakagadziridzwa yeReactGet sniffer. Yese yakambotevedzwa shanduro dzemhuri iyi yevanonhuhwidza yakanangwa pane imwechete yekubhadhara system, ndiko kuti, yakakosha vhezheni yesniffer yaidiwa kune yega yekubhadhara system. Nekudaro, mune iyi kesi, vhezheni yepasirese yemunuhwi yakawanikwa, inokwanisa kuba ruzivo kubva kumafomu ane chekuita ne15 akasiyana ekubhadhara masisitimu uye mamodule eecommerce nzvimbo dzekubhadhara online.
Saka, pakutanga kwebasa, mufeki akatsvaga mafomu ekutanga ane ruzivo rwemunhu akabatwa: zita rakazara, kero yemuviri, nhamba yefoni.
Iye anofembedza akabva atsvaga pamusoro pegumi neshanu prefixes akasiyana anoenderana neakasiyana masystem ekubhadhara uye mamodule ekubhadhara online.
Tevere, data remunhu akabatwa uye ruzivo rwekubhadhara zvakaunganidzwa pamwe chete ndokutumirwa kune saiti inodzorwa neanorwisa: mune iyi chaiyo, shanduro mbiri dzeReactGet universal sniffer dzakawanikwa dziri panzvimbo mbiri dzakasiyana dzakabiwa. Nekudaro, ese ari maviri mavhezheni akatumira data rakabiwa kune imwecheteyo saiti yakabiwa. zoobashop.com.
Ongororo ye prefixes inoshandiswa neanofembedza kutsvaga minda ine ruzivo rwekubhadhara kwemunhu akabatwa yakatemerwa kuti iyi sniffer sample yakanangana neanotevera masisitimu ekubhadhara:
- Kwirisa.Net
- Verisign
- Kutanga Dhata
- USAePay
- mutsetse
- PayPal
- ANZ eGate
- Braintree
- Data Cash (MasterCard)
- Realex Payments
- PsiGate
- Heartland Payment Systems
Ndezvipi zvishandiso zvinoshandiswa kuba ruzivo rwekubhadhara
Chishandiso chekutanga chakawanikwa panguva yekuongorora kwevanorwisa zvivakwa chinoshanda kudzima magwaro ane hutsinye ane mhosva yekuba makadhi ekubhangi. A bash script achishandisa CLI yeprojekiti yakawanikwa pane mumwe wevanorwisa 'mauto. kuita otomatiki sniffer code obfuscation.
Chechipiri chakawanikwa chishandiso chakagadzirirwa kugadzira iyo kodhi ine basa rekurodha iyo huru sniffer. Ichi chishandiso chinoburitsa JavaScript kodhi inotarisa kana mushandisi ari papeji yekubuda nekutsvaga kero yemushandisi iyezvino yetambo. buda, ngoro uye zvichingodaro, uye kana mhedzisiro yacho yakanaka, saka iyo kodhi inotakura iyo huru sniffer kubva kune intruder's server. Kuti uvanze kuita kwakashata, mitsetse yese, kusanganisira mitsara yekuyedza yekutarisa peji rekubhadhara, pamwe nekubatanidza kune sniffer, yakavharirwa uchishandisa. base64.
Phishing kurwisa
Munguva yekuongorora kwetiweki zvivakwa zvevanorwisa, zvakaonekwa kuti boka rematsotsi rinowanzoshandisa phishing kuwana mukana wekutonga pane inotarirwa chitoro chepamhepo. Vanorwisa vanonyoresa domain inoita kunge dura rechitoro vobva vatumira fomu rekunyepedzera reMagento admin pairi. Kana vakabudirira, vanorwisa vanowana mukana weMagento CMS admin panhizha, iyo inovapa kugona kugadzirisa zvikamu zvesaiti uye kushandisa sniffer kuba data rekiredhiti kadhi.
Infrastructure
| Domain | Zuva rekuwanikwa/kuonekwa |
|---|---|
| mediapack.info | 04.05.2017 |
| adsgetapi.com | 15.06.2017 |
| simcounter.com | 14.08.2017 |
| mageanalytics.com | 22.12.2017 |
| maxstatics.com | 16.01.2018 |
| reactjsapi.com | 19.01.2018 |
| mxcounter.com | 02.02.2018 |
| apittatus.com | 01.03.2018 |
| orderracker.com | 20.04.2018 |
| tagtracking.com | 25.06.2018 |
| adsapigate.com | 12.07.2018 |
| trusttracker.com | 15.07.2018 |
| fbstatspartner.com | 02.10.2018 |
| billgetstatus.com | 12.10.2018 |
| www.aldenmlilhouse.com | 20.10.2018 |
| balletbeautlful.com | 20.10.2018 |
| bargalnjunkie.com | 20.10.2018 |
| payselector.com | 21.10.2018 |
| tagsmediaget.com | 02.11.2018 |
| hs-payments.com | 16.11.2018 |
| ordercheckpays.com | 19.11.2018 |
| geissee.com | 24.11.2018 |
| gtmproc.com | 29.11.2018 |
| livegetpay.com | 18.12.2018 |
| sydneysalonsupplies.com | 18.12.2018 |
| newrelicnet.com | 19.12.2018 |
| nr-public.com | 03.01.2019 |
| cloudodesc.com | 04.01.2019 |
| ajaxstatic.com | 11.01.2019 |
| livecheckpay.com | 21.01.2019 |
| asianfoodgracer.com | 25.01.2019 |
G-Analytics mhuri
Iyi mhuri yevanofemba inoshandiswa kuba makadhi evatengi muzvitoro zvepamhepo. Zita rekutanga chairo rinoshandiswa neboka rakanyoreswa muna Kubvumbi 2016, izvo zvinogona kuratidza kutanga kwebasa reboka pakati pa2016.
Mumushandirapamwe wazvino, boka rinoshandisa mazita edomeini anotevedzera masevhisi ehupenyu chaihwo seGoogle Analytics nejQuery, masking sniffer chiitiko chine magwaro epamutemo uye anotaridzika-akanaka mazita emazita. Mawebhusaiti anomhanya pasi peCMS Magento akarwiswa.
Maitiro eG-Analytics anoitwa mune online store kodhi
Chinhu chakasiyana chemhuri iyi kushandiswa kwenzira dzakasiyana dzekubira ruzivo rwekubhadhara mushandisi. Pamusoro pejekiseni reJavaScript rekare mudivi revatengi resaiti, boka rematsotsi rakashandisawo nzira yekupinza kodhi mudivi reseva resaiti, kureva PHP zvinyorwa zvinogadzira kupinza kwemushandisi. Iyi nzira ine ngozi nekuti inoita kuti zviome kune vechitatu-bato vaongorori kuti vaone yakaipa kodhi. Boka-IB nyanzvi dzakawana vhezheni yemupfuhwira yakanyudzwa muiyo PHP kodhi yesaiti, vachishandisa iyo domain segedhi. dittm.org.
Yekutanga vhezheni yemunhu anofembedza yakawanikwa zvakare inoshandisa iyo dhomeini kuunganidza data rakabiwa. dittm.org, asi iyi vhezheni yakatogadzirirwa kuiswa parutivi rwevatengi rwechitoro chepa online.
Gare gare, boka rakachinja maitiro aro ndokutanga kubhadhara zvakanyanya kuvanza kwekuita kwakashata uye kuvharidzira.
Mukutanga kwe2017, boka rakatanga kushandisa domain jquery-js.comkuita seCDN yejQuery: inodzosera mushandisi kunzvimbo yepamutemo kana uchienda kune yakaipa saiti. jquery.com.
Uye pakati pe-2018, boka racho rakatora zita rezita g-analytics.com uye akatanga kuvanza basa remufeki sebasa repamutemo reGoogle Analytics.
Version Analysis
Munguva yekuongororwa kwemazita anoshandiswa kuchengetedza kodhi ye sniffer, zvakaonekwa kuti saiti ine nhamba huru yeshanduro dzinosiyana mukuvapo kwebfuscation, pamwe nekuvapo kana kusavapo kwekodhi isingasvikike yakawedzerwa kune faira kuvhiringidza kutarisa. uye kuvanza kodhi yakaipa.
Total panzvimbo jquery-js.com marudzi matanhatu evanofemba akaonekwa. Ava vanofemba vanotumira data rakabiwa kukero iri panzvimbo imwe chete seyemunhu anofembedza pachake: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Gare gare domain g-analytics.com, inoshandiswa neboka mukurwiswa kubva pakati pe2018, inoshanda senzvimbo yevazhinji vanonhuhwidza. Pakazara, 16 shanduro dzakasiyana dzemufefe dzakawanikwa. Muchiitiko ichi, gedhi rekutumira data rakabiwa rakavharwa sechibatanidza kumufananidzo wefomati GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Kuita mari yedata rakabiwa
Boka rematsotsi rinoita mari data rakabiwa nekutengesa makadhi kuburikidza nechitoro chakagadzirwa chepasi pevhu chinopa masevhisi kune vanotora makadhi. Ongororo yemadomasi anoshandiswa nevanorwisa yakaita kuti zvikwanise kuona izvozvo google-analytics.cm yakanyoreswa nemushandisi mumwechete sedomeini cardz.vc. Domain cardz.vc inoreva maCardsurfs (Flysurfs), chitoro chinotengesa makadhi ekubhangi akabiwa, chakawana mukurumbira panguva yemusika weAlphaBay pasi pevhu sechitoro chinotengesa makadhi ekubhanga akabiwa uchishandisa munhu anofembedza.
Kuongorora domain analytical.is, iri paseva imwechete semadomasi anoshandiswa nevanofemba kuunganidza data rakabiwa, Boka-IB nyanzvi dzakawana faira rine Cookie anoba matanda, izvo zvinoita sekunge, zvakazosiiwa nemugadziri. Imwe yemanyorerwo mulog yanga ine domain iozoz.com, iyo yakamboshandiswa mune imwe yevanofemba inoshanda muna 2016. Sezvingabvira, iyi domain yakamboshandiswa neanorwisa kutora makadhi akabiwa achishandisa munhu anofembedza. Nzvimbo iyi yakanyoreswa kukero yeemail [email inodzivirirwa], iyo yaishandiswawo kunyoresa domains cardz.su и cardz.vczvinoenderana neCardsurfs carding shop.
Kubva pane data yakawanikwa, zvinogona kufungidzirwa kuti mhuri yeG-Analytics sniffer uye yepasi pevhu yeCardsurfs bank card store inotungamirirwa nevanhu vakafanana, uye chitoro chinoshandiswa kutengesa makadhi ekubhangi akabiwa uchishandisa sniffer.
Infrastructure
| Domain | Zuva rekuwanikwa/kuonekwa |
|---|---|
| iozoz.com | 08.04.2016 |
| dittm.org | 10.09.2016 |
| jquery-js.com | 02.01.2017 |
| g-analytics.com | 31.05.2018 |
| google-analytics.is | 21.11.2018 |
| analytical.to | 04.12.2018 |
| google-analytics.to | 06.12.2018 |
| google-analytics.cm | 28.12.2018 |
| analytical.is | 28.12.2018 |
| googlelc-analytics.cm | 17.01.2019 |
Illum mhuri
Illum imhuri yevapfuri vanoshandiswa kurwisa zvitoro zvepamhepo zvinomhanya Magento CMS. Pamusoro pekuunzwa kwekodhi ine hutsinye, vashandi veiyi sniffer vanoshandisawo kuunzwa kwemafomu ekubhadhara emanyepo akazara anotumira data kumasuwo anodzorwa nevanorwisa.
Pakuongorora hurongwa hwetiweki hunoshandiswa nevashandisi veiyi sniffer, nhamba huru yezvinyorwa zvakashata, kushandiswa, mafomu ekubhadhara emanyepo akaonekwa, pamwe nekuunganidzwa kwemienzaniso nevakwikwidzi vane utsinye. Kubva pane ruzivo rwemazuva ekuonekwa kwemazita emazita anoshandiswa neboka, zvinogona kufungidzirwa kuti kutanga kwemushandirapamwe kunowira pakupera kwa2016.
Iyo Illum inoshandiswa sei mune kodhi yechitoro chepamhepo
Mavhezheni ekutanga akawanikwa eanofemba akaiswa mukati mekodhi yenzvimbo yakakanganiswa. Data yakabiwa yakatumirwa cdn.illum[.]pw/records.php, gedhi rakaiswa encoded using base64.
Gare gare, vhezheni yakapetwa yeanofemba yakawanikwa uchishandisa rimwe gedhi - records.nstatistics[.]com/records.php.
Maererano ne Willem de Groot, mugadziri mumwe chete akashandiswa mukufembedza kwakaitwa pa , yebato rezvematongerwo enyika reGermany CSU.
Kurwisa nzvimbo yekuongorora
Boka-IB nyanzvi dzakawana uye dzakaongorora saiti inoshandiswa neboka rematsotsi iri kuchengeta maturusi uye kuunganidza ruzivo rwakabiwa.
Pakati pezvishandiso zvakawanikwa pane sevha yeanorwisa zvakawanikwa zvinyorwa uye zvibodzwa zvekuwedzera rombo muLinux OS: semuenzaniso, Linux Ropafadzo Escalation Tarisa Script, yakagadziridzwa naMike Czumak, pamwe nekushandisa kweCVE-2009-1185.
Vapambi vakashandisa maitiro maviri zvakananga kurwisa zvitoro zvepamhepo: inokwanisa kupinza kodhi yakaipa mukati core_config_data nekushandisa CVE-2016-4010, inoshandisa kusadzivirirwa kweRCE muMagento CMS plugins, ichibvumira kodhi yekupokana kuti iitwe pane isina njodzi web server.
Zvakare, panguva yekuongorora sevha, masampuli akasiyana-siyana evapfuri uye mafomu ekubhadhara emanyepo akawanikwa, anoshandiswa nevanorwisa kuunganidza ruzivo rwekubhadhara kubva kunzvimbo dzakabiwa. Sezvauri kuona kubva pane rondedzero pazasi, mamwe magwaro akagadzirwa ega kune yega saiti yakabiwa, nepo mhinduro yepasirese yakashandiswa kune imwe CMS nemagedhi ekubhadhara. Somuenzaniso, scripts segapay_standard.js и segapay_onpage.js yakagadzirirwa kuiswa pamasaiti uchishandisa Sage Pay yekubhadhara gedhi.
Rondedzero yezvinyorwa zvemagedhi akasiyana ekubhadhara
| Script | Payment Gateway |
|---|---|
| [.]pw/mjs_special/visiondirect.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/topdirenshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/tiendalenovo.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/pro-bolt.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/plae.co.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/ottolenghi.co.uk.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/oldtimecandy.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/mylook.ee.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/luluandsky.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/julep.com.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/gymcompany.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/grotekadoshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/fushi.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/fareastflora.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/compuindia.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs/segapay_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/segapay_onpage.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/replace_standard.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs/all_inputs.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/add_inputs_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/magento/payment_standard.js | //cdn.illum[.]pw/records.php |
| [.]pw/magento/payment_redirect.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_redcrypt.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_forminsite.js | //paymentnow[.]tk/?payment= |
Host paynow[.]tk, inoshandiswa segedhi mune script pay_forminsite.js, yakawanikwa se subjectAltName mune akati wandei zvitupa zvine chekuita neCloudFlare sevhisi. Mukuwedzera, iyo script yaive iri pane iyo host zvakaipa.js. Tichifunga nezvezita reiyo script, inogona kunge yakashandiswa sechikamu chekushandisa CVE-2016-4010, nekuda kwazvinogoneka kubaya kodhi yakaipa muzasi pesaiti inomhanyisa Magento CMS. Ichi chinyorwa chakashandisa mugadziri segedhi request.requestnet[.]tk, uchishandisa chitupa chakafanana neanogamuchira paynow[.]tk.
Mafomu ekubhadhara emanyepo
Mufananidzo uri pazasi unoratidza muenzaniso wefomu yekupinda data kadhi. Iri fomu rakashandiswa kupinza webhusaiti yepamhepo chitoro uye kuba data rekadhi.
Mufananidzo unotevera muenzaniso wefomu rekubhadhara rePayPal remanyepo iro rakashandiswa nevanorwisa kupinza masaiti vachishandisa nzira yekubhadhara iyi.
Infrastructure
| Domain | Zuva rekuwanikwa/kuonekwa |
|---|---|
| cdn.illum.pw | 27/11/2016 |
| records.nstatistics.com | 06/09/2018 |
| chikumbiro.payrightnow.cf | 25/05/2018 |
| paynow.tk | 16/07/2017 |
| pay-line.tk | 01/03/2018 |
| paypal.cf | 04/09/2017 |
| requestnet.tk | 28/06/2017 |
CoffeeMokko mhuri
Mhuri yeCoffeMokko yevanofemba vakagadzirirwa kuba makadhi ekubhangi evashandisi vezvitoro zvepamhepo yakashandiswa kubva angangoita Chivabvu 2017. Zvichida, boka rematsotsi reBoka 1 rakatsanangurwa nenyanzvi dzeRiskIQ muna 2016 ndiye anoshanda weiyi mhuri yevanofemba. Mawebhusaiti anomhanyisa seCMS seMagento, OpenCart, WordPress, osCommerce, Shopify akarwiswa.
Ko CoffeMokko yakadzikwa sei mukodhi yechitoro chepamhepo
Vashandi vemhuri iyi vanogadzira akasiyana anonhuwa kune yega yega hutachiona: iyo sniffer faira iri mudhairekitori. Src kana js paserver yeanorwisa. Kuitwa mukati meiyo saiti kodhi kunoitwa nechakananga chinongedzo kune sniffer.
Iyo sniffer kodhi yakaoma-makodhi mazita emafomu emafomu kwaunoda kuba data. Mufesi anotarisawo kana mushandisi ari papeji yekutarisa nekutarisa rondedzero yemazwi akakosha achipesana nekero yemushandisi iripo.
Mamwe mavhezheni akawanikwa emunuhwi akavharwa uye aine tambo yakavharidzirwa yaichengeta ruzhinji rwezviwanikwa: yaive nemazita emafomu emafomu eakasiyana masystem ekubhadhara, pamwe nekero yegedhi uko data rakabiwa rinofanira kutumirwa.
Ruzivo rwekubhadhara rwakabiwa rwakatumirwa kune script pane server yevanorwisa munzira. /savePayment/index.php kana /tr/index.php. Sezvingabvira, iyi script inoshandiswa kutumira data kubva kugedhi kuenda kune huru server, iyo inosanganisa data kubva kune vese sniffers. Kuvanza iyo data yakafambiswa, ruzivo rwese rwekubhadhara rwemunhu akabatwa runoiswa encoded uchishandisa base64, uyezve mamwe mavara anotsiva anoitika:
- hunhu "e" hunotsiviwa ne ":"
- chiratidzo "w" chinotsiviwa na "+"
- mavara "o" anotsiviwa ne "%"
- chimiro "d" chinotsiviwa ne "#"
- chimiro "a" chinotsiviwa ne "-"
- chiratidzo "7" chinotsiviwa ne "^"
- hunhu "h" hunotsiviwa na "_"
- chiratidzo che "T" chinotsiviwa na "@"
- chimiro "0" chinotsiviwa ne "/"
- chimiro "Y" chinotsiviwa ne "*"
Nekuda kwekuchinjanisa mavara encoded with base64 data haigone kudhindwa pasina kuchinjika shanduko.
Aya ndiwo maitiro anoita chidimbu cheiyo sniffer kodhi isina kubvongodzwa inoita senge:
Infrastructure analysis
Mumishandirapamwe yekutanga, vapambi vakanyoresa mazita emadomasi akafanana neaya epamhepo nzvimbo dzekutenga online. Nzvimbo yavo inogona kusiyana kubva kune yepamutemo imwe neimwe hunhu kana imwe TLD. Madhomeini akanyoreswa akashandiswa kuchengetedza kodhi yesniffer, chinongedzo chaive chakaiswa mukodhi yechitoro.
Iri boka rakashandisawo mazita emazita anoyeuchidza yakakurumbira jQuery plugins (slickjs[.]org kune masaiti anoshandisa plugin slick.js), magedhi ekubhadhara (sagecdn[.]org yemasaiti anoshandisa iyo Sage Pay yekubhadhara system).
Gare gare, boka rakatanga kugadzira madomasi ane zita rakanga risinei nechekuita nedura rechitoro kana dingindira rechitoro.
Domain yega yega yaienderana nenzvimbo yakasikirwa dhairekitori /js kana / src. Manyoro eSniffer akachengetwa mudhairekitori iri: mufefesi mumwechete wechirwere chitsva chega chega. Iyo sniffer yakaunzwa mukodhi yesaiti kuburikidza neinongedzo yakananga, asi muzviitiko zvisingawanzo, vapambi vakagadzirisa imwe yemafaira esaiti uye vakawedzera kodhi yakaipa kwairi.
Code analysis
Yekutanga Obfuscation Algorithm
Mune mamwe masampula emhuri iyi, iyo kodhi yakavharwa uye yaive neyakavharidzirwa data inodiwa kuti mufesi ashande: kunyanya, kero yegedhi remufeferi, runyorwa rwemafomu ekubhadhara fomu, uye mune dzimwe nguva, fomu rekubhadhara remanyepo. Mune kodhi mukati mebasa, zviwanikwa zvakavharirwa nazvo XOR nekiyi yakapfuudzwa senharo kubasa rimwechete.
Nekubvisa tambo nekiyi inoenderana, yakasarudzika yemuenzaniso wega wega, unogona kuwana tambo ine mitsara yese kubva kune sniffer kodhi yakaparadzaniswa nedelimiter character.
Chechipiri obfuscation algorithm
Mune mamwe masampula emhuri iyi yevanofemba, imwe nzira yekubiridzira yakashandiswa: mune iyi nyaya, data yakavharidzirwa uchishandisa algorithm yekuzvinyora. Tambo ine data yakavharidzirwa inodiwa kuti munhu anofembedza ashande akapfuudzwa senharo kudhiribheti basa.
Uchishandisa browser yebhurawuza, unogona kutsikisa iyo encrypted data uye uwane rondedzero ine sniffer zviwanikwa.
Batanidza kune yekutanga MageCart kurwiswa
Mukuongororwa kweimwe yenzvimbo dzinoshandiswa neboka segedhi rekuunganidza data rakabiwa, zvakaonekwa kuti dura iri rakaisa zvivakwa zvekuba makadhi echikwereti, akafanana neanoshandiswa neBoka 1 - rimwe remapoka ekutanga, RiskIQ nyanzvi.
Mafaira maviri akawanikwa pamubati wemhuri yeCoffeMokko sniffer:
- mage.js - faira rine Group 1 sniffer code ine kero yegedhi js-cdn.link
- mag.php - PHP script ine basa rekuunganidza data rakabiwa neano sniffer
Zviri mukati me mage.js file
Izvo zvakare zvakatemerwa kuti madomasi ekutanga akashandiswa neboka kuseri kwemhuri yeCoffeMokko sniffer akanyoreswa muna Chivabvu 17, 2017:
- link-js[.] link
- info-js[.] link
- track-js[.] link
- map-js[.] link
- smart-js[.] link
Mamiriro emazita emazita aya akafanana nemazita eGroup 1 akashandiswa mukurwiswa kwe2016.
Kubva pane zvakawanikwa chokwadi, zvinogona kufungidzirwa kuti pane hukama pakati peCoffeMokko sniffer operators neboka rematsotsi reBoka 1. Zvichida, vashandi veCoffeMokko vanogona kunge vakakwereta maturusi uye software yekuba makadhi kubva kune avo vakavatangira. Zvisinei, zvinowanzoitika kuti boka rematsotsi riri shure kwekushandiswa kwevapfuri vemhuri yeCoffeMokko ndivo vanhu vakafanana vakaita kurwisa sechikamu chezviitiko zveBoka 1. Mushure mekubudiswa kwemushumo wekutanga wemabasa eboka rematsotsi, zvose zvavo. mazita edomeni akavharwa, uye zvishandiso zvakadzidzwa zvakadzama nekutsanangurwa. Boka racho rakamanikidzwa kutora zororo, kunatsa maturusi avo emukati uye kunyorazve kodhi yesniffer kuti vaenderere mberi nekurwiswa kwavo uye varambe vasingaonekwe.
Infrastructure
| Domain | Zuva rekuwanikwa/kuonekwa |
|---|---|
| link-js.link | 17.05.2017 |
| info-js.link | 17.05.2017 |
| track-js.link | 17.05.2017 |
| map-js.link | 17.05.2017 |
| smart-js.link | 17.05.2017 |
| adorebeauty.org | 03.09.2017 |
| security-payment.su | 03.09.2017 |
| braincdn.org | 04.09.2017 |
| sagecdn.org | 04.09.2017 |
| slickjs.org | 04.09.2017 |
| oakandfort.org | 10.09.2017 |
| citywnery.org | 15.09.2017 |
| dobell.su | 04.10.2017 |
| vanasplayclothing.org | 31.10.2017 |
| jewsondirect.com | 05.11.2017 |
| shop-rnib.org | 15.11.2017 |
| closetlondon.org | 16.11.2017 |
| misshaus.org | 28.11.2017 |
| battery-force.org | 01.12.2017 |
| kik-vape.org | 01.12.2017 |
| greatfurnituretradingco.org | 02.12.2017 |
| etradesupply.org | 04.12.2017 |
| replacemyremote.org | 04.12.2017 |
| all-about-sneakers.org | 05.12.2017 |
| mage-checkout.org | 05.12.2017 |
| nililotan.org | 07.12.2017 |
| lamoodbighat.net | 08.12.2017 |
| walletgear.org | 10.12.2017 |
| dahlie.org | 12.12.2017 |
| davidsfootwear.org | 20.12.2017 |
| blackriverrimaging.org | 23.12.2017 |
| exrpesso.org | 02.01.2018 |
| parks.su | 09.01.2018 |
| pmtonline.com | 12.01.2018 |
| otocap.org | 15.01.2018 |
| christohperward.org | 27.01.2018 |
| coffetea.org | 31.01.2018 |
| energycoffe.org | 31.01.2018 |
| energytea.org | 31.01.2018 |
| teacoffe.net | 31.01.2018 |
| adaptivecss.org | 01.03.2018 |
| coffemokko.com | 01.03.2018 |
| londontea.net | 01.03.2018 |
| ukcoffe.com | 01.03.2018 |
| labbe.biz | 20.03.2018 |
| batterynart.com | 03.04.2018 |
| btosports.net | 09.04.2018 |
| chicksaddlery.net | 16.04.2018 |
| paypay.org | 11.05.2018 |
| ar500arnor.com | 26.05.2018 |
| authorizecdn.com | 28.05.2018 |
| slickmin.com | 28.05.2018 |
| bannerbuzz.info | 03.06.2018 |
| kandypens.net | 08.06.2018 |
| mylrendyphone.com | 15.06.2018 |
| freshchat.info | 01.07.2018 |
| 3lift.org | 02.07.2018 |
| abtasty.net | 02.07.2018 |
| mechat.info | 02.07.2018 |
| zoplm.com | 02.07.2018 |
| zapaljs.com | 02.09.2018 |
| foodandcot.com | 15.09.2018 |
| freshdepor.com | 15.09.2018 |
| swappastore.com | 15.09.2018 |
| verywellfitness.com | 15.09.2018 |
| elegrina.com | 18.11.2018 |
| majsurplus.com | 19.11.2018 |
| top5value.com | 19.11.2018 |
Source: www.habr.com