Ku dhawaad dhammaanteen waxaan isticmaalnaa adeegyada dukaamada online-ka ah, taasoo la micno ah in mar dhow ama hadhow aan halis ugu jirno inaan noqono dhibbanaha wax-kuuriyada JavaScript - code gaar ah oo weeraryahannada ay ka hirgeliyaan shabakad si ay u xadaan xogta kaararka bangiga, ciwaannada, gelitaanka iyo furaha isticmaaleyaasha .
Ku dhawaad 400 oo isticmaale mareegaha British Airways iyo arjiga mobaylada ayaa waxaa horay u saameeyay kuwa wax cuna, iyo sidoo kale booqdayaasha website-ka Ingiriiska ee kooxda weyn ee isboortiga FILA iyo qaybiyaha tigidhada Mareykanka ee Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - kuwan iyo qaar kale oo badan oo hababka lacag-bixinta ah ayaa cudurka qaaday.
Viktor Okorokov oo ah falanqeeye Threat Intelligence Group-IB wuxuu ka hadlayaa sida dadka wax u cuna u galaan koodhka mareegaha oo ay xadaan macluumaadka lacag bixinta, iyo sidoo kale waxa CRM-yada ay weeraraan.
"Halis qarsoon"
Waxaa dhacday in muddo dheer sniffers JS ay ka maqnaayeen indhaha falanqeeyayaasha ka hortagga fayraska, bangiyada iyo nidaamyada lacag-bixinta ma aysan u arkin khatar weyn. Oo gebi ahaanba micne lahayn. Khubarada Kooxda-IB
Aynu si faahfaahsan u dul istaagno afarta qoys ee dadka wax uriya ee la bartay intii daraasaddu socotay.
ReactGet Qoyska
Sniffers ee qoyska ReactGet waxaa loo isticmaalaa in lagu xado xogta kaadhka bangiga ee goobaha wax iibsiga ee onlineka ah. sniffer wuxuu la shaqeyn karaa tiro badan oo ah nidaamyada lacag-bixinta ee kala duwan ee loo isticmaalo goobta: hal qiime halbeeg ah ayaa u dhigma hal nidaam lacag-bixineed, iyo noocyada shakhsi ahaaneed ee la ogaaday ee sniffer waxaa loo isticmaali karaa in lagu xado aqoonsiga, iyo sidoo kale in lagu xado xogta kaararka bangiga lacag bixinta. noocyo badan oo habab lacag-bixineed hal mar ah, sida waxa loogu yeero sniffer universal. Waxaa la ogaaday in xaaladaha qaarkood, weeraryahanadu ay weeraro phishing ah ku qaadaan maamulayaasha dukaamada khadka tooska ah si ay u galaan guddiga maamulka ee goobta.
Olole la isticmaalayo qoyskan wax-uriya ayaa bilaabmay Maajo 2017; goobaha maamula CMS iyo Magento, Bigcommerce, iyo Shopify platforms ayaa la weeraray.
Sida ReactGet loogu hirgeliyay koodka dukaanka onlaynka ah
Marka lagu daro hirgelinta "caadiga ah" ee qoraalka iyada oo loo marayo isku xirka, hawl-wadeennada qoyska ReactGet ee wax-uga waxay isticmaalaan farsamo gaar ah: iyaga oo isticmaalaya koodhka JavaScript, waxay hubiyaan in ciwaanka hadda jira ee isticmaaluhu ku yaal uu buuxiyo shuruudaha qaarkood. Koodhka xaasidnimada ah waxa kaliya oo la fulin doonaa haddii xadhig-hoosaadku ku jiro URL-ka hadda jira baadhid ama hal tallaabo hubin, hal bog/, out/onepag, hubin/mid, ckout/hal. Markaa, koodhka sniffer ayaa si sax ah loo fulin doonaa wakhtiga uu isticmaaluhu sii wado bixinta iibsiyada oo uu galo macluumaadka lacag bixinta foomka goobta.
Wax-uriya Tani waxay isticmaashaa farsamo aan caadi ahayn. Lacag-bixinta dhibbanaha iyo xogta shakhsi ahaaneed waa la wada ururiyaa oo lagu dhejiyaa iyadoo la isticmaalayo saldhig 64, ka dibna xadhigga ka soo baxa ayaa loo isticmaalaa sidii halbeeg ahaan si loogu diro codsi website-ka weerarka. Inta badan, dariiqa albaabka ayaa ku dayanaya faylka JavaScript, tusaale ahaan resp.js, data.js iyo wixii la mid ah, laakiin isku xirka faylasha sawirka ayaa sidoo kale la isticmaalaa, GIF и JPG. Farqiga u gaarka ah ayaa ah in wax wax cuna uu sameeyo shay muuqaal cabbiraya 1 by 1 pixel oo uu u isticmaalo isku xidhka hore loo helay halbeeg ahaan src Sawirada Taasi waa, isticmaalaha codsiga noocan oo kale ah ee taraafikada wuxuu u ekaan doonaa codsi sawir caadi ah. Farsamo la mid ah ayaa loo adeegsaday qoyska ImageID ee wax uriya. Intaa waxaa dheer, farsamada isticmaalka sawirka 1 by 1 pixel waxaa loo isticmaalaa qoraallo badan oo sharci ah oo internetka ah, kaas oo sidoo kale marin habaabinaya isticmaalaha.
Falanqaynta Nooca
Falanqaynta xayndaabka firfircoon ee ay isticmaalaan hawl wadeenada ReactGet waxay daaha ka qaaday noocyo badan oo kala duwan oo qoyskan ah. Noocyo kala duwan ayaa ku kala duwan joogitaanka ama maqnaanshaha daboolka, iyo marka lagu daro, mid kasta oo wax cunaya waxaa loogu talagalay nidaam lacag-bixineed oo gaar ah kaas oo ka shaqeeya bixinta kaararka bangiga ee dukaamada onlineka ah. Ka dib markii la kala soocay qiimaha halbeegga u dhigma nambarka nooca, kooxda-IB ee takhasuska leh waxay heleen liis dhammaystiran oo ah kala duwanaanshiyaha wax-uriya ee la heli karo, iyo magacyada foomamka foomamka ee uu qof kastaa ka raadiyo koodka bogga, waxay aqoonsadeen hababka lacag-bixinta. in qofka wax uriya uu u jeedo.
Liiska kuwa wax cuna iyo hababka lacag bixinta ee u dhigma
Sniffer URL | Nidaamka lacag bixinta |
---|---|
|
Oggolaansho.Net |
Kaydka kaadhadhka | |
|
Oggolaansho.Net |
Oggolaansho.Net | |
|
eWAY Degdeg ah |
Oggolaansho.Net | |
Adyen | |
|
USAePay |
Oggolaansho.Net | |
USAePay | |
|
Oggolaansho.Net |
Moneris | |
USAePay | |
PayPal | |
Sage Pay | |
Verisign | |
PayPal | |
karbaash | |
|
Realex |
PayPal | |
LinkPoint | |
PayPal | |
PayPal | |
DataCash | |
|
PayPal |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
Oggolaansho.Net | |
Oggolaansho.Net | |
|
Verisign |
|
Oggolaansho.Net |
Moneris | |
|
Sage Pay |
|
USAePay |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
|
ANZ eGate |
|
Oggolaansho.Net |
|
Moneris |
|
Sage Pay |
Sage Pay | |
|
Chase Paymentech |
|
Oggolaansho.Net |
|
Adyen |
PsiGate | |
Isha internetka | |
ANZ eGate | |
Realex | |
|
USAePay |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
|
ANZ eGate |
|
PayPal |
|
PayPal |
Realex | |
|
Sage Pay |
|
PayPal |
|
Verisign |
Oggolaansho.Net | |
|
Verisign |
Oggolaansho.Net | |
|
ANZ eGate |
PayPal | |
Isha internetka | |
|
Oggolaansho.Net |
|
Sage Pay |
Realex | |
|
Isha internetka |
PayPal | |
PayPal | |
|
PayPal |
|
Verisign |
|
eWAY Degdeg ah |
|
Sage Pay |
Sage Pay | |
|
Verisign |
Oggolaansho.Net | |
Oggolaansho.Net | |
|
Kadinka Caalamiga ah ee Koowaad |
Oggolaansho.Net | |
Oggolaansho.Net | |
Moneris | |
|
Oggolaansho.Net |
|
PayPal |
|
Verisign |
|
USAePay |
USAePay | |
Oggolaansho.Net | |
Verisign | |
PayPal | |
|
Oggolaansho.Net |
karbaash | |
|
Oggolaansho.Net |
eWAY Degdeg ah | |
|
Sage Pay |
Oggolaansho.Net | |
|
Braintree |
|
Braintree |
|
PayPal |
|
Sage Pay |
|
Sage Pay |
|
Oggolaansho.Net |
|
PayPal |
|
Oggolaansho.Net |
Verisign | |
|
PayPal |
|
Oggolaansho.Net |
|
karbaash |
|
Oggolaansho.Net |
eWAY Degdeg ah | |
Sage Pay | |
|
Oggolaansho.Net |
Braintree | |
|
PayPal |
|
Sage Pay |
Sage Pay | |
|
Oggolaansho.Net |
PayPal | |
Oggolaansho.Net | |
|
Verisign |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
|
Sage Pay |
Sage Pay | |
|
Westpac PayWay |
|
PayFort |
|
PayPal |
|
Oggolaansho.Net |
|
karbaash |
|
Kadinka Caalamiga ah ee Koowaad |
|
PsiGate |
Oggolaansho.Net | |
Oggolaansho.Net | |
|
Moneris |
|
Oggolaansho.Net |
Sage Pay | |
|
Verisign |
Moneris | |
PayPal | |
|
LinkPoint |
|
Westpac PayWay |
Oggolaansho.Net | |
|
Moneris |
|
PayPal |
Adyen | |
PayPal | |
Oggolaansho.Net | |
USAePay | |
EBizCharge | |
|
Oggolaansho.Net |
|
Verisign |
Verisign | |
Oggolaansho.Net | |
|
PayPal |
|
Moneris |
Oggolaansho.Net | |
|
PayPal |
PayPal | |
Westpac PayWay | |
Oggolaansho.Net | |
|
Oggolaansho.Net |
Sage Pay | |
|
Verisign |
|
Oggolaansho.Net |
|
PayPal |
|
PayFort |
Isha internetka | |
Payflow Payflow Pro | |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
Verisign | |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
Sage Pay | |
Oggolaansho.Net | |
|
karbaash |
|
Oggolaansho.Net |
Oggolaansho.Net | |
Verisign | |
|
PayPal |
Oggolaansho.Net | |
|
Oggolaansho.Net |
Sage Pay | |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
|
PayPal |
|
Flint |
|
PayPal |
Sage Pay | |
Verisign | |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
|
karbaash |
|
Zebra dufan |
Sage Pay | |
|
Oggolaansho.Net |
Kadinka Caalamiga ah ee Koowaad | |
|
Oggolaansho.Net |
|
eWAY Degdeg ah |
Adyen | |
|
PayPal |
Adeegyada Ganacsi ee QuickBooks | |
Verisign | |
|
Sage Pay |
Verisign | |
|
Oggolaansho.Net |
|
Oggolaansho.Net |
Sage Pay | |
|
Oggolaansho.Net |
|
eWAY Degdeg ah |
Oggolaansho.Net | |
|
ANZ eGate |
|
PayPal |
Isha internetka | |
|
Oggolaansho.Net |
Sage Pay | |
|
Realex |
Isha internetka | |
|
PayPal |
|
PayPal |
|
PayPal |
|
Verisign |
eWAY Degdeg ah | |
|
Sage Pay |
|
Sage Pay |
|
Verisign |
Oggolaansho.Net | |
|
Oggolaansho.Net |
|
Kadinka Caalamiga ah ee Koowaad |
Oggolaansho.Net | |
Oggolaansho.Net | |
|
Moneris |
|
Oggolaansho.Net |
|
PayPal |
Furaha sirta ah
Mid ka mid ah faa'iidooyinka sniffers JavaScript ee ka shaqeeya dhinaca macmiilka ee mareegaha ayaa ah kala duwanaanshahooda: koodka xaasidnimada ah ee ku dhex jira mareegaha wuxuu xadi karaa nooc kasta oo xog ah, ha ahaato xogta lacag bixinta ama gelitaanka iyo erayga sirta ah ee koontada isticmaalaha. Kooxda-IB ee ku taqasusay waxay heleen muunad wax uriya oo ka tirsan qoyska ReactGet, oo loogu talagalay in lagu xado ciwaannada iimaylka iyo furaha sirta ah ee isticmaalayaasha goobta.
Isgoysyada wax uriya ImageID
Inta lagu guda jiro falanqaynta mid ka mid ah dukaamada cudurka qaba, waxaa la ogaaday in goobta uu cudurku ku dhacay laba jeer: marka lagu daro koodhka xaasidnimada ah ee ReactGet sniffer qoyska, koodka sniffer qoyska ImageID ayaa la ogaaday. Isku dhafkan ayaa caddayn u noqon kara in hawl-wadeennada ka dambeeya labada wax-uriya ay isticmaalaan farsamooyin isku mid ah si ay u duraan kood xaasidnimo ah.
sniffer Universal
Falanqaynta mid ka mid ah magacyada domainka ee la xidhiidha kaabayaasha wax qiiqa ee ReactGet ayaa shaaca ka qaaday in isla isticmaale uu diiwangeliyay saddex magac oo kale. Sadexdan goobood waxay ku dayan jireen mareegaha mareegaha nolosha dhabta ah oo markii hore loo isticmaali jiray in lagu marti geliyo dadka wax uriya. Marka la falanqeynayo koodka saddexda goobood ee sharciga ah, wax wax uriya oo aan la garanayn ayaa la ogaaday, waxaana falanqayn dheeraad ah ay muujisay in ay tahay nooc la hagaajiyay ee ReactGet sniffer. Dhammaan noocyada hore ee loo kormeeray ee qoyskan sniffers waxay ujeedadoodu ahayd hal nidaam lacag-bixineed, taas oo ah, nidaam kasta oo lacag-bixineed wuxuu u baahan yahay nooc gaar ah oo wax uriya. Si kastaba ha ahaatee, kiiskan, nooca caalamiga ah ee sniffer ayaa la helay kaas oo awood u leh inuu xado macluumaadka foomamka la xidhiidha 15 hababka lacag bixinta ee kala duwan iyo qaybaha goobaha ganacsiga e-commerce ee bixinta lacagaha online-ka ah.
Sidaa darteed, bilawga shaqada, sniffer wuxuu raadiyay foomamka aasaasiga ah ee ka kooban macluumaadka shakhsi ahaaneed ee dhibbanaha: magac buuxa, ciwaanka jireed, lambarka taleefanka.
sniffer ayaa markaa baadhay in ka badan 15 horgaleyaal kala duwan oo u dhigma hababka lacag bixinta ee kala duwan iyo qaybaha lacag bixinta ee internetka.
Marka xigta, xogta gaarka ah ee dhibbanaha iyo macluumaadka lacag-bixinta ayaa la wada ururiyay waxaana loo diray goobta uu gacanta ku hayo qofka wax weeraray: kiiskan gaarka ah, waxaa la helay laba nooc oo ah wax uriyada caalamiga ah ee ReactGet, oo ku yaal laba goobood oo kala duwan oo la jabsaday. Si kastaba ha ahaatee, labada noocba waxay u direen xogta la xaday isla goobta la jabsaday zoobashop.com.
Falanqaynta horgalayaasha uu u adeegsaday sniffer si uu u raadiyo goobo ay ku jiraan macluumaadka lacag bixinta dhibbanaha ayaa noo ogolaatay in aan go'aaminno in muunadda wax urisa loogu talagalay hababka lacag bixinta ee soo socda:
- Oggolaansho.Net
- Verisign
- Macluumaadka Koowaad
- USAePay
- karbaash
- PayPal
- ANZ eGate
- Braintree
- DataCash (MasterCard)
- Lacagaha Realex
- PsiGate
- Nidaamyada Lacag bixinta Heartland
Qalabkee loo isticmaalaa in lagu xado macluumaadka lacag bixinta?
Qalabka ugu horreeya, oo la helay inta lagu jiro falanqaynta kaabayaasha weeraryahannada, ayaa loo isticmaalaa in lagu qariyo qoraallada xaasidnimada leh ee ka masuulka ah xatooyada kaararka bangiga. Qoraal bash ah oo isticmaalaya mashruuca CLI ayaa laga helay mid ka mid ah martigaliyayaasha weerarka
Qalabka labaad ee la helay waxaa loogu talagalay in lagu soo saaro kood ka mas'uul ah rarka wax uriya ugu weyn. Qalabkani waxa uu soo saara koodka JavaScript kaas oo hubiya in isticmaaluhu ku jiro bogga lacag bixinta isaga oo ka baadhaya ciwaanka isticmaalaha hadda ee xargaha baadhid, gaadhi iyo wixii la mid ah, iyo haddii natiijadu ay tahay mid togan, markaa koodhka ayaa ku shubaya qulqulaha ugu weyn ee server-ka weerarka. Si loo qariyo dhaqdhaqaaqa xaasidnimada ah, dhammaan khadadka, oo ay ku jiraan khadadka tijaabada ee go'aaminta bogga lacag bixinta, iyo sidoo kale isku xirka kuwa wax cunaya, ayaa lagu dhejiyay iyadoo la isticmaalayo saldhig 64.
Weerarada phishingka
Falanqaynta kaabayaasha shabakada weeraryahannada ayaa daaha ka qaaday in kooxda dambiilayaasha ay inta badan adeegsato phishing si ay u galaan guddiga maamulka ee dukaanka khadka tooska ah ee bartilmaameedka ah. Weeraryahannadu waxay diiwaangeliyaan domain muuqaal ahaan la mid ah bogga dukaanka, ka dibna waxay geeyaan foomka gelitaanka maamulka Magento been abuur ah. Haddii ay guuleystaan, weeraryahannadu waxay marin u heli doonaan guddiga maamulka ee Magento CMS, kaas oo siinaya fursad ay ku tafatiraan qaybaha shabakadda oo ay hirgeliyaan sniffer si ay u xadaan xogta kaararka deynta.
Infrastructure
Xayndaab | Taariikhda la helay/muuqashada |
---|---|
mediapack.info | 04.05.2017 |
adgetapi.com | 15.06.2017 |
simcounter.com | 14.08.2017 |
mageanalytics.com | 22.12.2017 |
maxstatics.com | 16.01.2018 |
reactjsapi.com | 19.01.2018 |
mxcounter.com | 02.02.2018 |
apitstatus.com | 01.03.2018 |
orderracker.com | 20.04.2018 |
tagstracking.com | 25.06.2018 |
adsapigate.com | 12.07.2018 |
Trust-tracker.com | 15.07.2018 |
fbstatspartner.com | 02.10.2018 |
billgetstatus.com | 12.10.2018 |
www.aldenmilhouse.com | 20.10.2018 |
balletbeautlful.com | 20.10.2018 |
bargalnjunkie.com | 20.10.2018 |
payselector.com | 21.10.2018 |
tagsmediaget.com | 02.11.2018 |
hs-payments.com | 16.11.2018 |
ordercheckpays.com | 19.11.2018 |
geisseie.com | 24.11.2018 |
gtmproc.com | 29.11.2018 |
livegetpay.com | 18.12.2018 |
sydneysalonsupplies.com | 18.12.2018 |
newrelicnet.com | 19.12.2018 |
nr-public.com | 03.01.2019 |
cloudodesc.com | 04.01.2019 |
ajaxstatic.com | 11.01.2019 |
livecheckpay.com | 21.01.2019 |
Asianfoodgracer.com | 25.01.2019 |
G-Analytics Qoyska
Qoyskan wax uriya ayaa loo adeegsadaa in ay kaararkooda ka xadaan dukaamada online-ka ah. Magacii ugu horeeyay ee ay kooxdu adeegsato waxa la diiwaan galiyay bishii April 2016, taas oo muujin karta in kooxdu ay bilawday waxqabad badhtamihii 2016ka.
Ololaha hadda socda, kooxdu waxay isticmaashaa magacyo domain oo ku dayanaya adeegyada nolosha dhabta ah, sida Google Analytics iyo jQuery, iyaga oo qarinaya dhaqdhaqaaqa wax-kuuriyada oo wata qoraallo sharci ah iyo magac domain oo la mid ah kuwa sharciga ah. Goobaha maamula Magento CMS ayaa la weeraray.
Sida G-Analytics loogu hirgeliyay koodka dukaanka onlaynka ah
Sifada gaarka ah ee qoyskan waa isticmaalka habab kala duwan oo lagu xado macluumaadka lacag-bixinta isticmaalaha. Marka lagu daro duritaanka caadiga ah ee koodhka JavaScript ee dhinaca macmiilka ee goobta, kooxda dembiilayaasha waxay sidoo kale adeegsadeen farsamooyinka duritaanka koodhka dhinaca server-ka ee goobta, kuwaas oo ah qoraallada PHP kuwaas oo socodsiiya xogta isticmaale-gelitaanka. Farsamadan waa khatar sababtoo ah waxay ku adkeynaysaa cilmi-baarayaasha dhinac saddexaad inay ogaadaan koodka xaasidnimada leh. Kooxda-IB ee ku taqasusay waxay heleen nooc ka mid ah wax wax cuna oo ku dhex jira koodhka PHP ee goobta, iyaga oo u isticmaalaya goob albaab ahaan dittm.org.
Nooc hore oo wax wax uriya ayaa sidoo kale la helay kaas oo isticmaala isla domain si uu u ururiyo xogta la xaday dittm.org, laakiin noocaan waxaa loogu talagalay in lagu rakibo dhinaca macmiilka ee dukaanka internetka.
Kooxdu markii dambe waxay bedeshay xeeladdeedii oo waxay bilaabeen inay si aad ah diiradda u saaraan sidii ay u qarin lahaayeen hawlaha xaasidnimada ah iyo sawir-qaadista.
Bilowgii 2017, kooxdu waxay bilaabeen isticmaalka domainka jquery-js.com, isaga oo isu ekaysiinaya CDN jQuery: marka aad aado goobta weeraryahanada, isticmaaluhu waxa loo weeciyey goob sharci ah jquery.com.
Iyo bartamihii 2018, kooxdu waxay qaadatay magaca domainka g-analytics.com waxayna bilaabeen inay qariyaan dhaqdhaqaaqyada sniffer sida adeegga Google Analytics ee sharciga ah.
Falanqaynta Nooca
Inta lagu guda jiro falanqaynta domains loo isticmaalo in lagu kaydiyo code sniffer, waxaa la ogaaday in goobta ay ka kooban tahay tiro badan oo versions ah, kuwaas oo ku kala duwan joogitaanka qarsoodi ah, iyo sidoo kale joogitaanka iyo maqnaanshaha code aan la gaari karin oo lagu daray faylka si dareenka looga jeediyo. oo qari kood xaasidnimo ah.
Wadarta goobta jquery-js.com Lix nooc oo wax uriya ayaa la aqoonsaday. Kuwa wax wax uriya waxay u diraan xogta la xaday ciwaanka ku yaal isla mareegta uu wax uriyo laftiisa: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Domain dambe g-analytics.com, oo ay kooxdu u adeegsato weerarrada tan iyo bartamihii 2018, waxay u adeegtaa sidii meel kayd ah oo wax uriya badan. Wadar ahaan, 16 nooc oo kala duwan oo wax uriya ayaa la helay. Xaaladdan oo kale, albaabka laga soo dirayo xogta la xaday ayaa loo ekeysiiyay sidii isku xidhka qaabka sawirka GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Lacag gelinta xogta la xaday
Kooxda dambiilayaasha waxay kacsadaan xogta la xado iyagoo iibinaya kaadhadhka iyagoo isticmaalaya dukaan dhulka hoostiisa ah oo si gaar ah loo sameeyay kaas oo bixiya adeegyada kaararka. Falanqaynta domains-ka ay adeegsadeen weeraryahanadu waxay noo ogolaatay inaan ogaano taas google-analytics.cm waxaa ka diiwaan gashan isla isticmaalaha kan domainka cardz.vc. Domain cardz.vc Waxa loola jeedaa dukaanka lagu iibiyo kaararka bangiga ee la xado Cardsurfs (Flysurfs), kaas oo caan ku noqday maalmihii dhaqdhaqaaqa ganacsiga dhulka hoostiisa ee AlphaBay sida dukaanka iibinta kaararka bangiga oo la xado iyadoo la adeegsanayo wax wax uriya.
Falanqaynta domainka gorfayn.waa, oo ku yaal isla server-yada ay isticmaalaan kuwa wax uriya si ay u ururiyaan xogta la xaday, Kooxda-IB ee ku taqasusay waxay heleen fayl ay ku jiraan logs tuugada buskudka, kaas oo u muuqda in markii dambe uu ka tagay horumariyuhu. Mid ka mid ah gelinta loggu waxa uu ka koobnaa domain iozoz.com, kaas oo hore loogu isticmaalay mid ka mid ah kuwa wax uriya ee firfircoon ee 2016. Malaha, goobtan waxaa hore u isticmaalay weeraryahan si uu u ururiyo kaadhadhka la xado isagoo isticmaalaya wax wax uriya. Goobtan waxa loo diwaan galiyay ciwaanka iimaylka [emailka waa la ilaaliyay], kaas oo sidoo kale loo isticmaalay in lagu diiwaan geliyo domains cardz.su и cardz.vc, oo la xidhiidha dukaanka kaadhka ee Cardsurfs.
Marka loo eego xogta la helay, waxaa loo qaadan karaa in qoyska G-Analytics ee wax uriya iyo dukaanka dhulka hoostiisa mara ee lagu iibiyo kaararka bangiga Cardsurfs ay maamulaan isla dad isku mid ah, bakhaarkana waxaa lagu iibiyaa kaararka bangiga ee la xado iyadoo la adeegsanayo wax uriya.
Infrastructure
Xayndaab | Taariikhda la helay/muuqashada |
---|---|
iozoz.com | 08.04.2016 |
dittm.org | 10.09.2016 |
jquery-js.com | 02.01.2017 |
g-analytics.com | 31.05.2018 |
google-analytics.is | 21.11.2018 |
gorfayn.to | 04.12.2018 |
google-analytics.to | 06.12.2018 |
google-analytics.cm | 28.12.2018 |
gorfayn.waa | 28.12.2018 |
googlc-analytics.cm | 17.01.2019 |
Illum qoyska
Illum waa qoys wax uriya oo loo isticmaalo in lagu weeraro dukaamada onlineka ah ee maamula Magento CMS. Marka laga soo tago soo bandhigida koodka xaasidnimada ah, hawl-wadeennada sniffer-kan ayaa sidoo kale isticmaala soo bandhigida foomam lacag-bixineed oo buuxa oo been abuur ah kuwaas oo xogta u soo diraya irdaha ay gacanta ku hayaan weeraryahannada.
Marka la falanqeynayo kaabayaasha shabakadda ee ay adeegsadaan hawl-wadeennada sniffer-ka, tiro badan oo qoraallo xaasidnimo ah, ka faa'iidaysi, foomamka lacag-bixinta been abuurka ah, iyo sidoo kale ururinta tusaalayaal leh ur xun xun oo ka yimid tartamayaasha ayaa la xusay. Iyada oo ku saleysan macluumaadka ku saabsan taariikhaha muuqaalka magacyada domainka ee ay kooxdu adeegsato, waxaa loo qaadan karaa in ololuhu bilaabmay dhamaadka 2016.
Sida Illum loogu hirgeliyay koodka dukaanka onlaynka ah
Noocyadii ugu horreeyay ee wax-uriya ee la helay ayaa si toos ah loogu dhejiyay koodka goobta la jabsaday. Xogta la xaday ayaa loo diray cdn.illum[.]pw/records.php, albaabka waxaa lagu dhejiyay iyadoo la isticmaalayo saldhig 64.
Ka dib, waxaa la helay nooc baakadaysan oo wax uriya oo adeegsada albaab kale - records.nstatistics[.]com/records.php.
Sida laga soo xigtay
Falanqaynta barta internetka ee weeraryahannada
Khabiirada Kooxda-IB waxay ogaadeen oo ay falanqeeyeen shabakad ay kooxdan dambiilayaasha ah u adeegsato kaydinta agabka iyo ururinta macluumaadka la xaday.
Qalabka laga helay server-ka weerarka waxaa ka mid ahaa qoraallo iyo ka faa'iidaysi kor loogu qaadayo mudnaanta Linux OS: tusaale ahaan, Qoraalka Hubinta Mudnaanta Linux ee uu sameeyay Mike Czumak, iyo sidoo kale ka faa'iidaysiga CVE-2009-1185.
Weeraryahanadu waxay si toos ah u isticmaaleen laba faa'iidooyin si ay u weeraraan dukaamada onlineka ah:
Sidoo kale, inta lagu guda jiro falanqaynta server-ka, waxaa la helay muunado kala duwan oo ah kuwa wax uriya iyo foomamka lacag bixinta ee been abuurka ah, kuwaas oo ay u adeegsadeen weeraryahannada si ay uga soo ururiyaan macluumaadka lacag-bixinta goobaha la jabsado. Sida aad ka arki karto liiska hoose, qoraalada qaar ayaa si gaar ah loogu sameeyay goob kasta oo la jabsado, halka xal caalami ah loo adeegsaday qaar ka mid ah CMS iyo albaabada lacag bixinta. Tusaale ahaan, qoraallada segapay_standart.js и segapay_bogga.js loogu talagalay in lagu fuliyo goobaha la isticmaalayo kadinka lacag bixinta Sage Pay.
Liiska qoraallada albaabbada lacag bixinta ee kala duwan
Qoraal | Albaabka lacag bixinta |
---|---|
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//cdn.illum[.]pw/records.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//cdn.illum[.]pw/records.php |
//payright now[.]cf/?payment= | |
|
//payright now[.]cf/?payment= |
|
//paymentnow[.]tk/?payment= |
Martigeliyaha hadda bixinta[.] tk, oo loo isticmaalo albaab ahaan qoraal ahaan Payment_forminsite.js, ayaa la ogaaday sida maadadaAltMagaca dhowr shahaadooyin oo la xidhiidha adeegga CloudFlare. Intaa waxaa dheer, martigeliyaha wuxuu ka kooban yahay qoraal xumaan.js. Iyadoo lagu xukumayo magaca qoraalka, waxaa loo isticmaali karaa qayb ka mid ah ka faa'iidaysiga CVE-2016-4010, taas oo ay ugu mahadcelinayaan taas oo ay suurtogal tahay in lagu duro kood xaasidnimo ah cagaha goobta ku socota Magento CMS. Martigeliyaha wuxuu u isticmaalay qoraalkan albaab ahaan Codsiga.requestnet[.]tkiyadoo la isticmaalayo shahaado la mid ah kan martida loo yahay hadda bixinta[.] tk.
Foomamka lacag-bixinta been-abuurka ah
Sawirka hoose wuxuu muujinayaa tusaale foom ah oo lagu gelinayo xogta kaadhka. Foomkan waxa loo isticmaalay in lagu dhex galo dukaanka onlaynka ah oo lagu xado xogta kaadhka.
Jaantuska soo socdaa wuxuu muujinayaa tusaale foom lacag bixineed oo been abuur ah oo PayPal ah oo ay isticmaaleen weeraryahanadu si ay ugu dhex galaan goobaha habkan lacag bixinta.
Infrastructure
Xayndaab | Taariikhda la helay/muuqashada |
---|---|
cdn.illum.pw | 27/11/2016 |
records.nstatistics.com | 06/09/2018 |
codsi.payrightnow.cf | 25/05/2018 |
lacag bixinta hadda.tk | 16/07/2017 |
bixinta-line.tk | 01/03/2018 |
Paypal.cf | 04/09/2017 |
codsinet.tk | 28/06/2017 |
KafeeMokko qoyska
Qoyska CoffeMokko ee wax-uriya, oo loogu talagalay inay kaadhadhka bangiga ka xadaan isticmaaleyaasha dukaamada khadka tooska ah, ayaa la isticmaalayey illaa ugu yaraan May 2017. Malaha, hawl-wadeennada qoyskan wax-uriya waa kooxda dambiilayaasha ee kooxda 1, oo ay ku sifeeyeen khubarada Khatarta ah ee 2016. Goobaha maamula CMS-yada sida Magento, OpenCart, WordPress, osCommerce, iyo Shopify ayaa la weeraray.
Sida CoffeMokko loogu hirgeliyay koodka dukaanka onlaynka ah
Hawl-wadeennada qoyskani waxay abuuraan wax uriya caabuq kasta: feylka wax wax uriya wuxuu ku yaalaa buugga hagaha src ama js on server-ka weerarka. Ku darida koodka goobta waxaa lagu fuliyaa iyada oo loo marayo isku xirka tooska ah ee wax uriya.
Koodhka sniffer code wuxuu ku dhejiyaa magacyada meelaha foomamka ee xogta loo baahan yahay in laga xado. Qofka wax cuna wuxuu kaloo hubiyaa in isticmaaluhu uu ku jiro bogga lacag bixinta isagoo ku hubinaya liiska ereyada muhiimka ah ciwaanka isticmaalaha hadda.
Qaar ka mid ah noocyada la helay ee wax uriya ayaa la daboolay waxayna ka koobnaayeen xarig sir ah oo lagu keydiyay noocyada ugu muhiimsan ee agabka: waxay ka kooban tahay magacyada goobaha foomamka ee hababka lacag bixinta ee kala duwan, iyo sidoo kale ciwaanka albaabka oo loo diro xogta la xaday.
Xogta lacag bixinta ee la xaday waxaa loo diray qoraal ku yaal seerfarka weeraryahannada oo jidka ku jira /savePayment/index.php ama /tr/index.php. Malaha, qoraalkan waxaa loo isticmaalaa in xogta laga soo diro albaabka ilaa server-ka ugu weyn, kaas oo xoojiya xogta dhammaan sniffers. Si loo qariyo xogta la gudbiyay, dhammaan macluumaadka lacag-bixinta dhibbanaha waa la sir iyadoo la isticmaalayo saldhig 64, ka dibna dhowr dabeecadood ayaa dhacaya:
- jilaha "e" waxa lagu bedelay ":"
- calaamada "w" waxa lagu bedelay "+"
- jilaha "o" waxa lagu bedelay "%"
- "d" waxa lagu bedelay "#"
- dabeecadda "a" waxaa lagu bedelay "-"
- calaamada "7" waxaa lagu bedelay "^"
- jilaha "h" waxa lagu bedelay "_"
- calaamada "T" waxa lagu bedelay "@"
- jilaha "0" waxaa lagu bedelay "/"
- "Y" waxa lagu bedelay "*"
Natiijadu waxay tahay beddelka dabeecadaha ee la codeeyay iyadoo la adeegsanayo saldhig 64 Xogta lama dejin karo iyada oo aan la samayn beddelka gadaasha.
Tani waa sida jajabka koodka wax uriya ee aan la daboolin u eg yahay:
Falanqaynta Kaabayaasha
Ololihii hore, weeraryahannadu waxay diiwaan geliyeen magacyo domain oo la mid ah kuwa goobaha wax iibsiga ee tooska ah. Goobkoodu wuxuu ka duwanaan karaa kan sharciga ah hal calaamad ama TLD kale. Qaybaha diiwaangashan ayaa loo isticmaalay in lagu kaydiyo koodka wax wax uriya, isku xidhka kaas oo ku dhexjiray koodka dukaanka.
Kooxdani waxa kale oo ay adeegsadeen magacyo xayndaabyo ah oo xasuusiya plugins-yada jQuery ee caanka ah (slickjs[.]org goobaha la isticmaalayo plugin ah liidnimo.js), albaabada lacag bixinta (sagecdn[.]org ee goobaha isticmaalaya nidaamka lacag bixinta Sage Pay).
Ka dib, kooxdu waxay bilaabeen inay abuuraan xayndaabyo aan magacyadoodu shaqo ku lahayn domain-ka dukaanka ama mawduuca dukaanka.
Domain kastaa wuxuu u dhigmaa goobta hagaha lagu sameeyay /js ama /src. Qoraallada wax u urisa ayaa lagu kaydiyay buuggan: hal wax u urijiya caabuq kasta oo cusub. Qofka wax cuna waxa uu ku dhex milmay koodhka mareegaha iyada oo loo sii marayo xidhiidh toos ah, laakiin marar dhif ah, weeraryahanadu waxa ay beddeleen mid ka mid ah faylalka mareegaha oo ay ku dareen kood xaasidnimo ah.
Falanqaynta Xeerka
Algorithm-ka qarsoon ee ugu horreeya
Qaar ka mid ah muunado la helay oo ka mid ah kuwa wax cuna ee qoyskan, koodhka ayaa la daboolay oo waxaa ku jiray xog sir ah oo lagama maarmaan u ah qofka wax cunaya inuu shaqeeyo: gaar ahaan, ciwaanka albaabka wax uriinka, liiska foomamka lacag bixinta, iyo xaaladaha qaarkood, code of been abuur ah. foomka lacag bixinta. Koodhka ku dhex jira shaqada, agabka waa la siray iyadoo la isticmaalayo XOR furaha loo gudbiyay dood ahaan isla shaqada.
Adiga oo furaha ku dhejinaya xarkaha furaha ku habboon, gaar u ah muunad kasta, waxaad heli kartaa xadhig ka kooban dhammaan xadhkaha koodka wax wax uriya ee uu kala soocay jilaha kala soocida.
Algorithm-ka qarsoon ee labaad
Tusaalooyinka dambe ee sniffers ee qoyskan, hab kale oo qarsoodi ah ayaa la isticmaalay: kiiskan, xogta ayaa la siray iyadoo la adeegsanayo algorithm is-qori. Xadhig ka kooban xog sir ah oo lagamamaarmaan u ah sniffer si uu u shaqeeyo ayaa loo gudbiyay dood ahaan shaqada furista.
Adigoo isticmaalaya konsole browserka, waxaad kala saari kartaa xogta sir ah oo aad heli kartaa qalab ka kooban agab wax wax uriya.
Xidhiidhinta hore ee weeraradii MageCart
Intii lagu guda jiray falanqaynta mid ka mid ah domains ay kooxdu u adeegsato albaabka laga soo ururiyo xogta la xado, waxaa la ogaaday in domainkani uu martigeliyay kaabayaasha tuugada kaararka deynta, oo la mid ah kan ay isticmaalaan kooxda 1, oo ka mid ah kooxaha ugu horreeya.
Laba fayl ayaa laga helay martigeliyaha qoyska CoffeMokko ee wax uriya:
- mage.js - faylka ka kooban koodka kooxda 1 oo leh ciwaanka albaabka js-cdn.link
- mag.php - Qoraalka PHP ee mas'uul ka ah ururinta xogta uu xaday sniffer
Nuxurka faylka mage.js
Waxaa sidoo kale la go'aamiyay in goobihii ugu horreeyay ee ay adeegsadeen kooxda ka dambeysa qoyska CoffeMokko ee wax-uriya la diiwaan geliyay May 17, 2017:
- link-js[.] link
- info-js[.]link
- track-js[.]link
- map-js[.] link
- smart-js[.]link
Qaabka magacyada domainkan ayaa u dhigma magacyada domain ee kooxda 1 ee loo adeegsaday weeraradii 2016.
Iyada oo ku saleysan xaqiiqooyinka la helay, waxaa loo qaadan karaa in uu jiro xiriir ka dhexeeya hawl-wadeennada wax uriya CoffeMokko iyo kooxda dembiilayaasha ee kooxda 1. Malaha, hawl wadeenada CoffeMokko waxay ka amaahan karaan qalab iyo software kuwii iyaga ka horeeyey si ay kaararka u xadaan. Si kastaba ha ahaatee, waxay u badan tahay in kooxda dambiilayaasha ah ee ka dambeysay adeegsiga qoyska CoffeMokko ee wax uriya ay yihiin isla dadkii fuliyay weeraradii kooxda 1-aad. xannibay oo qalabkii ayaa si faahfaahsan loo darsay oo loo sharraxay. Kooxda waxaa lagu qasbay inay nasasho qaataan, nadiifiyaan qalabkooda gudaha oo ay dib u qoraan koodka wax uriya si ay u sii wadaan weerarradooda oo aan la ogaan.
Infrastructure
Xayndaab | Taariikhda la helay/muuqashada |
---|---|
link-js.link | 17.05.2017 |
info-js.link | 17.05.2017 |
track-js.link | 17.05.2017 |
khariidada-js.link | 17.05.2017 |
smart-js.link | 17.05.2017 |
adobeauty.org | 03.09.2017 |
ammaanka-payment.su | 03.09.2017 |
braincdn.org | 04.09.2017 |
sagecdn.org | 04.09.2017 |
slickjs.org | 04.09.2017 |
oakandfort.org | 10.09.2017 |
citywlnery.org | 15.09.2017 |
dobell.su | 04.10.2017 |
childrensplayclothing.org | 31.10.2017 |
jewsondirect.com | 05.11.2017 |
dukaanka-rnib.org | 15.11.2017 |
closetlondon.org | 16.11.2017 |
misshaus.org | 28.11.2017 |
Battery-force.org | 01.12.2017 |
kik-vape.org | 01.12.2017 |
greatfurnituretradingco.org | 02.12.2017 |
etradesupply.org | 04.12.2017 |
replacemyremote.org | 04.12.2017 |
all-about-sneakers.org | 05.12.2017 |
mage-checkout.org | 05.12.2017 |
nililotan.org | 07.12.2017 |
lamoodbighat.net | 08.12.2017 |
walletgear.org | 10.12.2017 |
dahlie.org | 12.12.2017 |
davidsfootwear.org | 20.12.2017 |
blackriverimaging.org | 23.12.2017 |
exrpesso.org | 02.01.2018 |
jardiinooyin.su | 09.01.2018 |
pmtonline.su | 12.01.2018 |
otocap.org | 15.01.2018 |
christohperward.org | 27.01.2018 |
coffetea.org | 31.01.2018 |
energycoffe.org | 31.01.2018 |
energytea.org | 31.01.2018 |
teacoffe.net | 31.01.2018 |
adaptivecss.org | 01.03.2018 |
coffemokko.com | 01.03.2018 |
londontea.net | 01.03.2018 |
ukcoffe.com | 01.03.2018 |
labbe.biz | 20.03.2018 |
Batterynart.com | 03.04.2018 |
btosports.net | 09.04.2018 |
chicksaddlery.net | 16.04.2018 |
paypaypay.org | 11.05.2018 |
ar500arnor.com | 26.05.2018 |
idman.com | 28.05.2018 |
slickmin.com | 28.05.2018 |
bannerbuzz.info | 03.06.2018 |
kandypens.net | 08.06.2018 |
mylrendyphone.com | 15.06.2018 |
freshchat.info | 01.07.2018 |
3lift.org | 02.07.2018 |
abtasty.net | 02.07.2018 |
mechat.info | 02.07.2018 |
zoplm.com | 02.07.2018 |
zapaljs.com | 02.09.2018 |
foodandcott.com | 15.09.2018 |
freshdepor.com | 15.09.2018 |
swappastore.com | 15.09.2018 |
verywellfitnesse.com | 15.09.2018 |
elegrina.com | 18.11.2018 |
majsurplus.com | 19.11.2018 |
top5value.com | 19.11.2018 |
Source: www.habr.com