Hoo e ka bang kaofela ha rona re sebelisa lits'ebeletso tsa mabenkele a marang-rang, ho bolelang hore haufinyane re ipeha kotsing ea ho ba phofu ea JavaScript sniffers - khoutu e khethehileng eo bahlaseli ba e sebelisang webosaeteng ho utsoa data ea karete ea banka, liaterese, li-logi le li-password tsa basebelisi. .
Hoo e ka bang basebelisi ba 400 ba sebaka sa marang-rang sa British Airways le sesebelisoa sa mehala ba se ba angoa ke batho ba linkong, hammoho le baeti ba etelang webosaete ea Borithane ea senatla sa lipapali sa FILA le morekisi oa litekete oa Amerika Ticketmaster. PayPal, Chase Paymenttech, USAePay, Moneris - lits'ebetso tsena le tse ling tse ngata tsa ho lefa li ne li tšoaelitsoe.
Setsebi sa Threat Intelligence Group-IB Viktor Okorokov o bua ka hore na linohe li kenya khoutu ea sebaka sa marang-rang le ho utsoa tlhahisoleseling ea tefo, hammoho le hore na li hlasela li-CRM life.
"Tšokelo e patiloeng"
Ho ile ha etsahala hore ka nako e telele li-sniffers tsa JS li lule li sa bonahale ho bahlahlobisisi ba li-anti-virus, 'me libanka le mekhoa ea ho lefa li ne li sa li bone e le tšokelo e tebileng. Le ka ho feletseng lefeela. Litsebi tsa sehlopha-IB
Ha re bueng ka botlalo ka malapa a mane a batho ba linkong ba ithutoang nakong ea boithuto.
ReactGet Lelapa
Li-sniffers tsa lelapa la ReactGet li sebelisetsoa ho utsoa lintlha tsa karete ea banka libakeng tsa mabenkele tsa marang-rang. Sniffer e ka sebetsa le palo e kholo ea litsamaiso tse fapaneng tsa tefo tse sebelisoang sebakeng sa marang-rang: boleng bo le bong ba paramente bo lumellana le sistimi e le 'ngoe ea tefo,' me mefuta e lemohuoang ea motho ka mong e ka sebelisoa ho utsoa lintlha, hammoho le ho utsoa data ea karete ea banka ho lefa. mefuta ea litsamaiso tse 'maloa tsa tefo ka nako e le ngoe, joalo ka se bitsoang universal sniffer. Ho ile ha fumanoa hore maemong a mang, bahlaseli ba etsa litlhaselo tsa phishing ho batsamaisi ba mabenkele a marang-rang e le hore ba fumane monyetla oa ho fumana sebaka sa tsamaiso ea sebaka seo.
Letšolo le sebelisang lelapa lena la basomi le qalile ka Mots'eanong 2017; libaka tse tsamaisang CMS le Magento, Bigcommerce le li-platform tsa Shopify li ile tsa hlaseloa.
ReactGet e sebelisoa joang ho khoutu ea lebenkele la inthanete
Ntle le ts'ebetsong ea "classic" ea script ka sehokelo, basebetsi ba lelapa la ReactGet la basomi ba sebelisa mokhoa o ikhethileng: ba sebelisa khoutu ea JavaScript, ba hlahloba hore na aterese ea hajoale moo mosebelisi a leng teng e kopana le litekanyetso tse itseng. Khoutu e lonya e tla etsoa feela haeba substring e le teng ho URL ea hajoale sheba kapa mohato o le mong ho tsoa, leqephe le le leng/, kantle/leqephe le le leng, ho tsoa/e le 'ngoe, ckout/nngwe. Kahoo, khoutu ea sniffer e tla etsoa hantle ka nako eo mosebelisi a lefang ho reka le ho kenya tlhaiso-leseling ea tefo foromong ea sebaka sa marang-rang.
Seqhoa sena se sebelisa mokhoa o sa tloaelehang. Tefo ea motho ea hlokofalitsoeng le lintlha tsa botho li bokelloa hammoho 'me li kenyelelitsoe ho sebelisoa motheo64, ebe khoele e hlahisoang e sebelisoa e le parameter ho romela kopo ho websaeteng ea bahlaseli. Hangata, tsela e eang hekeng e etsisa faele ea JavaScript, mohlala resp.js, data.js joalo-joalo, empa lihokelo tsa lifaele tsa setšoantšo li boetse li sebelisoa, GIF и JPG. Ntho e ikhethang ke hore sniffer e etsa ntho ea setšoantšo e ka bang 1 ka 1 pixel mme e sebelisa sehokelo se amohetsoeng pele e le parameter. Src Litšoantšo. Ke hore, bakeng sa mosebedisi kopo e joalo sephethephetheng e tla shebahala joaloka kopo ea setšoantšo se tloaelehileng. Mokhoa o ts'oanang o ile oa sebelisoa lelapeng la ImageID la basomi. Ho feta moo, mokhoa oa ho sebelisa setšoantšo sa pixel 1 ka 1 o sebelisoa mengolong e mengata e molaong ea analytics ea inthaneteng, e ka khelosang mosebelisi.
Tlhahlobo ea Phetolelo
Tlhahlobo ea libaka tse sebetsang tse sebelisoang ke li-sniffer operators tsa ReactGet li senotse mefuta e mengata e fapaneng ea lelapa lena la li-sniffers. Liphetolelo li fapana ho ba teng kapa ho ba sieo ha obfuscation, 'me ho phaella moo, sniffer e' ngoe le e 'ngoe e etselitsoe mokhoa o itseng oa ho lefa o sebetsanang le litefo tsa karete ea banka bakeng sa mabenkele a marang-rang. Ha ba se ba hlophisitse boleng ba paramethara e tsamaellanang le nomoro ea mofuta, litsebi tsa Sehlopha-IB li ile tsa fumana lethathamo le felletseng la mefuta e fapaneng e fumanehang, 'me ka mabitso a libaka tseo sniffer e' ngoe le e 'ngoe e li batlang khoutu ea leqephe, li ile tsa tseba mekhoa ea ho lefa. seo mofosi a lebisitseng ho sona.
Lethathamo la li-sniffers le mekhoa ea bona ea ho lefa
URL ea senefi | Sistimi ea tefo |
---|---|
|
Ngolisa.Net |
Poloko ea likarete | |
|
Ngolisa.Net |
Ngolisa.Net | |
|
eWAY Ka potlako |
Ngolisa.Net | |
Adyen | |
|
USAePay |
Ngolisa.Net | |
USAePay | |
|
Ngolisa.Net |
Moneris | |
USAePay | |
PayPal | |
Sage Pay | |
Verisign | |
PayPal | |
Tšoaea | |
|
Realex |
PayPal | |
LinkPoint | |
PayPal | |
PayPal | |
DataCash | |
|
PayPal |
|
Ngolisa.Net |
|
Ngolisa.Net |
Ngolisa.Net | |
Ngolisa.Net | |
|
Verisign |
|
Ngolisa.Net |
Moneris | |
|
Sage Pay |
|
USAePay |
|
Ngolisa.Net |
|
Ngolisa.Net |
|
ANZ eGate |
|
Ngolisa.Net |
|
Moneris |
|
Sage Pay |
Sage Pay | |
|
Sebelisa Paymentech |
|
Ngolisa.Net |
|
Adyen |
PsiGate | |
Mohloli oa Cyber | |
ANZ eGate | |
Realex | |
|
USAePay |
|
Ngolisa.Net |
|
Ngolisa.Net |
|
ANZ eGate |
|
PayPal |
|
PayPal |
Realex | |
|
Sage Pay |
|
PayPal |
|
Verisign |
Ngolisa.Net | |
|
Verisign |
Ngolisa.Net | |
|
ANZ eGate |
PayPal | |
Mohloli oa Cyber | |
|
Ngolisa.Net |
|
Sage Pay |
Realex | |
|
Mohloli oa Cyber |
PayPal | |
PayPal | |
|
PayPal |
|
Verisign |
|
eWAY Ka potlako |
|
Sage Pay |
Sage Pay | |
|
Verisign |
Ngolisa.Net | |
Ngolisa.Net | |
|
First Data Global Gateway |
Ngolisa.Net | |
Ngolisa.Net | |
Moneris | |
|
Ngolisa.Net |
|
PayPal |
|
Verisign |
|
USAePay |
USAePay | |
Ngolisa.Net | |
Verisign | |
PayPal | |
|
Ngolisa.Net |
Tšoaea | |
|
Ngolisa.Net |
eWAY Ka potlako | |
|
Sage Pay |
Ngolisa.Net | |
|
Braintree |
|
Braintree |
|
PayPal |
|
Sage Pay |
|
Sage Pay |
|
Ngolisa.Net |
|
PayPal |
|
Ngolisa.Net |
Verisign | |
|
PayPal |
|
Ngolisa.Net |
|
Tšoaea |
|
Ngolisa.Net |
eWAY Ka potlako | |
Sage Pay | |
|
Ngolisa.Net |
Braintree | |
|
PayPal |
|
Sage Pay |
Sage Pay | |
|
Ngolisa.Net |
PayPal | |
Ngolisa.Net | |
|
Verisign |
|
Ngolisa.Net |
|
Ngolisa.Net |
|
Ngolisa.Net |
|
Ngolisa.Net |
|
Sage Pay |
Sage Pay | |
|
Westpac PayWay |
|
PayFort |
|
PayPal |
|
Ngolisa.Net |
|
Tšoaea |
|
First Data Global Gateway |
|
PsiGate |
Ngolisa.Net | |
Ngolisa.Net | |
|
Moneris |
|
Ngolisa.Net |
Sage Pay | |
|
Verisign |
Moneris | |
PayPal | |
|
LinkPoint |
|
Westpac PayWay |
Ngolisa.Net | |
|
Moneris |
|
PayPal |
Adyen | |
PayPal | |
Ngolisa.Net | |
USAePay | |
EBizCharge | |
|
Ngolisa.Net |
|
Verisign |
Verisign | |
Ngolisa.Net | |
|
PayPal |
|
Moneris |
Ngolisa.Net | |
|
PayPal |
PayPal | |
Westpac PayWay | |
Ngolisa.Net | |
|
Ngolisa.Net |
Sage Pay | |
|
Verisign |
|
Ngolisa.Net |
|
PayPal |
|
PayFort |
Mohloli oa Cyber | |
PayPal Payflow Pro | |
|
Ngolisa.Net |
|
Ngolisa.Net |
Verisign | |
|
Ngolisa.Net |
|
Ngolisa.Net |
Sage Pay | |
Ngolisa.Net | |
|
Tšoaea |
|
Ngolisa.Net |
Ngolisa.Net | |
Verisign | |
|
PayPal |
Ngolisa.Net | |
|
Ngolisa.Net |
Sage Pay | |
|
Ngolisa.Net |
|
Ngolisa.Net |
|
PayPal |
|
Flint |
|
PayPal |
Sage Pay | |
Verisign | |
|
Ngolisa.Net |
|
Ngolisa.Net |
|
Tšoaea |
|
Liqoaha tse Nonneng |
Sage Pay | |
|
Ngolisa.Net |
First Data Global Gateway | |
|
Ngolisa.Net |
|
eWAY Ka potlako |
Adyen | |
|
PayPal |
Litšebeletso tsa Morekisi oa QuickBooks | |
Verisign | |
|
Sage Pay |
Verisign | |
|
Ngolisa.Net |
|
Ngolisa.Net |
Sage Pay | |
|
Ngolisa.Net |
|
eWAY Ka potlako |
Ngolisa.Net | |
|
ANZ eGate |
|
PayPal |
Mohloli oa Cyber | |
|
Ngolisa.Net |
Sage Pay | |
|
Realex |
Mohloli oa Cyber | |
|
PayPal |
|
PayPal |
|
PayPal |
|
Verisign |
eWAY Ka potlako | |
|
Sage Pay |
|
Sage Pay |
|
Verisign |
Ngolisa.Net | |
|
Ngolisa.Net |
|
First Data Global Gateway |
Ngolisa.Net | |
Ngolisa.Net | |
|
Moneris |
|
Ngolisa.Net |
|
PayPal |
Monyetla oa phasewete
E 'ngoe ea melemo ea li-sniffers tsa JavaScript tse sebetsang ka lehlakoreng la bareki ba sebaka sa marang-rang ke ho feto-fetoha ha tsona: khoutu e lonya e kentsoeng webosaeteng e ka utsoa mofuta ofe kapa ofe oa data, ekaba data ea tefo kapa ho kena le password ea ak'haonte ea mosebelisi. Litsebi tsa Group-IB li sibollotse sampole ea motho ea monyelitseng oa lelapa la ReactGet, ea etselitsoeng ho utsoa liaterese tsa lengolo-tsoibila le li-password tsa basebelisi ba sebaka sa marang-rang.
Likopano tse nang le setšoantšo sa ImageID
Nakong ea tlhahlobo ea lebenkele le leng le nang le tšoaetso, ho ile ha fumanoa hore sebaka sa eona se tšoaelitsoe habeli: ntle le khoutu e mpe ea ReactGet family sniffer, khoutu ea setšoantšo sa lelapa la ImageID e ile ea fumanoa. Ho kopana hona e ka ba bopaki ba hore basebelisi ba ka morao ho litsubi ka bobeli ba sebelisa mekhoa e tšoanang ho kenya khoutu e mpe.
Mofosi oa bokahohle
Tlhahlobo ea e 'ngoe ea mabitso a marang-rang a amanang le thepa ea motheo ea ReactGet sniffer e senoletse hore mosebelisi a le mong o ngolisitse mabitso a mang a mararo. Likarolo tsena tse tharo li ne li etsisa libaka tsa liwebsaete tsa 'nete' me pele li ne li sebelisoa ho amohela batho ba mohang. Ha ho hlahlojoa khoutu ea libaka tse tharo tse molaong, ho ile ha fumanoa motho ea sa tsebeng letho, 'me tlhahlobo e eketsehileng e bontšitse hore e ne e le phetolelo e ntlafalitsoeng ea ReactGet sniffer. Liphetolelo tsohle tse neng li behiloe leihlo pele tsa lelapa lena la basomi li ne li reretsoe mokhoa o le mong oa ho lefa, ke hore, tsamaiso e 'ngoe le e' ngoe ea tefo e ne e hloka mofuta o khethehileng oa sniffer. Leha ho le joalo, tabeng ena, ho ile ha fumanoa phetolelo ea bokahohle ea sniffer e khonang ho utsoa tlhahisoleseding ho tsoa liforomong tse amanang le mekhoa e fapaneng ea ho lefa ea 15 le li-module tsa libaka tsa e-commerce bakeng sa ho etsa litefello tsa marang-rang.
Kahoo, qalong ea mosebetsi, mofoli o ile a batla masimo a motheo a foromo a nang le tlhahisoleseding ea botho ea motho ea hlokofalitsoeng: lebitso le feletseng, aterese ea 'mele, nomoro ea mohala.
Joale motho ea sniffer o ile a batlisisa lihlomathiso tse fapaneng tse 15 tse tsamaellanang le lits'ebetso tse fapaneng tsa ho lefa le li-module tsa ho lefa inthaneteng.
Ka mor'a moo, lintlha tsa motho ea hlokofalitsoeng le tlhahisoleseding ea tefo li ile tsa bokelloa hammoho 'me tsa romeloa sebakeng se laoloang ke mohlaseli: tabeng ena, ho ile ha fumanoa mefuta e' meli ea "ReactGet sniffer" ea bokahohleng, e fumanehang libakeng tse peli tse fapaneng tse utsoitsoeng. Leha ho le joalo, liphetolelo tseo ka bobeli li rometse data e utsoitsoeng sebakeng se le seng sa marang-rang zoobashop.com.
Tshekatsheko ya dihlongwapele tseo modupi a di sebeditseng ho batla dikarolo tse nang le tlhahisoleseding ya ditefo tsa mohlaseluwa di re dumeletse ho fumana hore sampole ena ya modutu e ne e lebisitswe ho disistimi tse latelang tsa ditefo:
- Ngolisa.Net
- Verisign
- Lintlha tsa Pele
- USAePay
- Tšoaea
- PayPal
- ANZ eGate
- Braintree
- DataCash (MasterCard)
- Litefiso tsa Realex
- PsiGate
- Heartland Payment Systems
Ke lisebelisoa life tse sebelisoang ho utsoa lintlha tsa tefo?
Sesebelisoa sa pele, se sibolotsoeng nakong ea tlhahlobo ea lisebelisoa tsa bahlaseli, se sebelisetsoa ho pata mangolo a kotsi a ikarabellang bakeng sa bosholu ba likarete tsa banka. Ho ile ha fumanoa script ea bash e sebelisang CLI ea morero ho e mong oa mabotho a bahlaseli
Sesebelisoa sa bobeli se sibolotsoeng se etselitsoe ho hlahisa khoutu e ikarabellang bakeng sa ho kenya sniffer e kholo. Sesebelisoa sena se hlahisa khoutu ea JavaScript e lekola hore na mosebelisi o leqepheng la tefo ka ho batla aterese ea hajoale ea mosebelisi bakeng sa likhoele. sheba, kariki joalo-joalo, 'me haeba sephetho se le molemo, joale khoutu e jara moferefere o ka sehloohong ho tloha ho seva sa bahlaseli. Ho pata ts'ebetso e mpe, mela eohle, ho kenyeletsoa le mela ea liteko bakeng sa ho fumana leqephe la tefo, hammoho le sehokelo sa mofenyi, li kentsoe ho sebelisoa. motheo64.
Litlhaselo tsa phishing
Tlhahlobo ea lits'ebetso tsa marang-rang tsa bahlaseli e senotse hore hangata sehlopha sa linokoane se sebelisa phishing ho fumana monyetla oa ho fihlella sehlopha sa tsamaiso sa lebenkele le reriloeng la marang-rang. Bahlaseli ba ngolisa sebaka se shebahalang se tšoana le sebaka sa lebenkele, ebe ba kenya foromo ea ho kena ea phanele ea tsamaiso ea Magento ho eona. Haeba ba atlehile, bahlaseli ba tla fumana monyetla oa ho fumana karolo ea tsamaiso ea Magento CMS, e ba fang monyetla oa ho hlophisa likarolo tsa sebaka sa marang-rang le ho kenya ts'ebetsong sniffer ho utsoa lintlha tsa karete ea mokitlane.
Lisebelisuoa
Lebitso la Lebitso | Letsatsi la ho sibolloa/ho hlaha |
---|---|
mediapack.info | 04.05.2017 |
adsgetapi.com | 15.06.2017 |
simcounter.com | 14.08.2017 |
mageanalytics.com | 22.12.2017 |
maxstatics.com | 16.01.2018 |
reactjsapi.com | 19.01.2018 |
mxcounter.com | 02.02.2018 |
apittatus.com | 01.03.2018 |
orderracker.com | 20.04.2018 |
tagstracking.com | 25.06.2018 |
adsapigate.com | 12.07.2018 |
trust-tracker.com | 15.07.2018 |
fbstatspartner.com | 02.10.2018 |
billgetstatus.com | 12.10.2018 |
www.aldenmlilhouse.com | 20.10.2018 |
balletbeatlful.com | 20.10.2018 |
bargalnjunkie.com | 20.10.2018 |
payselector.com | 21.10.2018 |
tagsmediaget.com | 02.11.2018 |
hs-payments.com | 16.11.2018 |
ordercheckpays.com | 19.11.2018 |
geissee.com | 24.11.2018 |
gtmproc.com | 29.11.2018 |
livegetpay.com | 18.12.2018 |
sydneysalonsupplies.com | 18.12.2018 |
newrelicnet.com | 19.12.2018 |
nr-public.com | 03.01.2019 |
cloudodesc.com | 04.01.2019 |
ajaxstatic.com | 11.01.2019 |
livecheckpay.com | 21.01.2019 |
asianfoodgracer.com | 25.01.2019 |
Lelapa la G-Analytics
Lelapa lena la li-sniffers le sebelisetsoa ho utsoa likarete tsa bareki mabenkeleng a marang-rang. Lebitso la pele le sebelisoang ke sehlopha le ngolisitsoe ka April 2016, e leng se ka bontšang hore sehlopha se qalile mosebetsi bohareng ba 2016.
Letšolong la hona joale, sehlopha se sebelisa mabitso a marang-rang a etsisang litšebeletso tsa sebele tsa bophelo, tse kang Google Analytics le jQuery, ho pata mosebetsi oa li-sniffers tse nang le mangolo a nepahetseng le mabitso a marang-rang a tšoanang le a nepahetseng. Libaka tse tsamaisang Magento CMS li ile tsa hlaseloa.
Mokhoa oa G-Analytics o kengoang ho khoutu ea lebenkele la Marang-rang
Karolo e ikhethang ea lelapa lena ke tšebeliso ea mekhoa e fapaneng ea ho utsoa tlhahisoleseling ea tefo ea basebelisi. Ntle le ente ea khale ea khoutu ea JavaScript ka lehlakoreng la bareki ba sebaka sa marang-rang, sehlopha sa linokoane se boetse se sebelisa mekhoa ea ente ea khoutu ka lehlakoreng la seva sa sebaka sa marang-rang, e leng mangolo a PHP a sebetsanang le data e kentsoeng ke basebelisi. Mokhoa ona o kotsi hobane o etsa hore ho be thata ho bafuputsi ba mekhatlo ea boraro ho lemoha khoutu e kotsi. Litsebi tsa Group-IB li sibollotse mofuta oa motho ea mobehang o kentsoeng khoutu ea PHP ea sebaka sena, a sebelisa domain joalo ka heke. dittm.org.
Ho ile ha boela ha fumanoa mofuta oa pele oa motho ea monehang ea sebelisang sebaka se le seng ho bokella lintlha tse utsoitsoeng dittm.org, empa phetolelo ena e reretsoe ho kenngoa ka lehlakoreng la bareki lebenkeleng la inthanete.
Hamorao sehlopha se ile sa fetola maqheka a sona 'me sa qala ho tsepamisa maikutlo haholo ho pata liketso tse lonya le ho pata.
Qalong ea 2017, sehlopha se ile sa qala ho sebelisa domain name jquery-js.com, e iketsang e le CDN bakeng sa jQuery: ha u ea sebakeng sa bahlaseli, mosebedisi o fetisetsoa sebakeng se amohelehang. jquery.com.
'Me bohareng ba 2018, sehlopha se ile sa amohela lebitso la domain g-analytics.com 'me a qala ho pata mesebetsi ea sniffer e le tšebeletso e amohelehang ea Google Analytics.
Tlhahlobo ea Phetolelo
Nakong ea tlhahlobo ea libaka tse sebelisetsoang ho boloka khoutu ea sniffer, ho ile ha fumanoa hore sebaka sena se na le mefuta e mengata e fapaneng, e fapaneng le boteng ba obfuscation, hammoho le ho ba teng kapa ho ba sieo ha khoutu e ke keng ea fumanoa e kenyelelitsoe faeleng ho senya tlhokomelo. le ho pata khoutu e kotsi.
Kakaretso setšeng jquery-js.com Ho ile ha tsejoa mefuta e tšeletseng ea linko. Linohe tsena li romella lintlha tse utsoitsoeng atereseng e fumanehang sebakeng sa Marang-rang se tšoanang le sa mofoli ka boeena: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Hamorao domain name g-analytics.com, e sebelisitsoeng ke sehlopha litlhaselong ho tloha bohareng ba 2018, e sebetsa e le sebaka sa polokelo bakeng sa batho ba bangata ba tsubang. Ka kakaretso, ho ile ha sibolloa liphetolelo tse 16 tse fapaneng tsa sniffer. Tabeng ena, heke ea ho romela data e utsoitsoeng e ne e entsoe e le sehokelo sa sebopeho sa setšoantšo GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Ho etsa chelete ka data e utsoitsoeng
Sehlopha sa linokoane se etsa chelete ka data e utsoitsoeng ka ho rekisa likarete ka lebenkele le entsoeng ka tlas'a lefatše le entsoeng ka ho khetheha le fanang ka lits'ebeletso ho bareki ba likarete. Tlhahlobo ea libaka tse sebelisoang ke bahlaseli e re lumelletse ho tseba seo google-analytics.cm e ngolisitsoe ke mosebelisi ea tšoanang le sebaka sa marang-rang cardz.vc. Sebaka cardz.vc e bua ka lebenkele le rekisang likarete tsa banka tse utsoitsoeng Cardsurfs (Flysurfs), e ileng ea tsebahala morao mehleng ea mosebetsi oa sethala sa khoebo sa ka tlas'a lefatše sa AlphaBay e le lebenkele le rekisang likarete tsa banka tse utsoitsoeng ka ho sniffer.
Ho sekaseka sebaka analytical.ke, e fumanehang ho seva se le seng le libaka tse sebelisoang ke basomi ho bokella lintlha tse utsoitsoeng, litsebi tsa Group-IB li ile tsa sibolla faele e nang le lintlha tsa bosholu ba li-cookie, tseo ho bonahalang eka hamorao li lahliloe ke moqapi. E 'ngoe ea likenyo ho log e na le domain name iozoz.com, eo pele e neng e sebelisoa ho e 'ngoe ea li-sniffers tse sebetsang ka 2016. Ho ka etsahala hore sebaka sena se kile sa sebelisoa ke mohlaseli ho bokella likarete tse utsoitsoeng a sebelisa mofoli. Sebaka sena se ngolisitsoe ho aterese ea lengolo-tsoibila [imeile e sirelelitsoe], e neng e boetse e sebelisetsoa ho ngolisa libaka cardz.su и cardz.vc, e amanang le lebenkele la likarete Cardsurfs.
Ho itšetlehile ka lintlha tse fumanoeng, ho ka nkoa hore lelapa la G-Analytics la batho ba tsubang le lebenkele le ka tlas'a lefatše le rekisang likarete tsa banka Li-Cardsurfs li laoloa ke batho ba tšoanang, 'me lebenkele le sebelisetsoa ho rekisa likarete tsa banka tse utsoitsoeng ho sebelisa sniffer.
Lisebelisuoa
Lebitso la Lebitso | Letsatsi la ho sibolloa/ho hlaha |
---|---|
iozoz.com | 08.04.2016 |
dittm.org | 10.09.2016 |
jquery-js.com | 02.01.2017 |
g-analytics.com | 31.05.2018 |
google-analytics.is | 21.11.2018 |
analytical.ho | 04.12.2018 |
google-analytics.to | 06.12.2018 |
google-analytics.cm | 28.12.2018 |
analytical.ke | 28.12.2018 |
google-analytics.cm | 17.01.2019 |
Lelapa la Illum
Illum ke lelapa la basomi ba neng ba sebelisoa ho hlasela mabenkele a marang-rang a tsamaisang Magento CMS. Ntle le ho hlahisa khoutu e kotsi, basebelisi ba sniffer ena ba boetse ba sebelisa tlhahiso ea liforomo tse feletseng tsa ho lefa tsa bohata tse romellang lintlha lihekeng tse laoloang ke bahlaseli.
Ha ho hlahlojoa lisebelisoa tsa marang-rang tse sebelisoang ke basebetsi ba sniffer ena, ho ile ha hlokomeloa palo e kholo ea mangolo a kotsi, liketso, liforomo tsa ho lefa tsa bohata, hammoho le pokello ea mehlala e nang le li-sniffers tse kotsi tse tsoang ho bahlolisani. Ho itšetlehile ka tlhahisoleseding e mabapi le matsatsi a ponahalo ea mabitso a marang-rang a sebelisoang ke sehlopha, ho ka nkoa hore letšolo lena le qalile qetellong ea 2016.
Kamoo Illum e kenngoa kateng ho khoutu ea lebenkele la inthanete
Liphetolelo tsa pele tsa sniffer e ileng ea sibolloa li ne li kentsoe ka kotloloho khoutu ea sebaka se senyehileng. Lintlha tse utsoitsoeng li rometsoe ho cdn.illum[.]pw/records.php, heke e ne e khoute e sebelisoa motheo64.
Hamorao, ho ile ha sibolloa mofuta o pakiloeng oa sniffer o sebelisang heke e fapaneng - records.nstatistics[.]com/records.php.
Ho ea ka
Tlhahlobo ea sebaka sa marang-rang sa bahlaseli
Litsebi tsa Group-IB li ile tsa sibolla le ho sekaseka sebaka sa marang-rang se sebelisoang ke sehlopha sena sa linokoane ho boloka lisebelisoa le ho bokella lintlha tse utsoitsoeng.
Har'a lisebelisoa tse fumanoeng ho seva sa bahlaseli e ne e le lingoloa le litlatsetso bakeng sa litokelo tse ntseng li eketseha ho Linux OS: mohlala, Linux Privilege Escalation Check Script e ntlafalitsoeng ke Mike Czumak, hammoho le tšebeliso ea CVE-2009-1185.
Bahlaseli ba sebelisitse liketso tse peli ka kotloloho ho hlasela mabenkele a marang-rang:
Hape, nakong ea tlhahlobo ea seva, ho ile ha sibolloa lisampole tse fapa-fapaneng tsa li-sniffers le liforomo tsa tefo tsa fake, tse sebelisoang ke bahlaseli ho bokella tlhahisoleseling ho tsoa libakeng tse utsoitsoeng. Joalokaha u ka bona lethathamong le ka tlase, lingoloa tse ling li entsoe ka bonngoe bakeng sa sebaka se seng le se seng se utsoitsoeng, athe tharollo ea bokahohle e ne e sebelisetsoa CMS e itseng le liheke tsa tefo. Ka mohlala, scripts segapay_standart.js и segapay_onpage.js e etselitsoeng ts'ebetsong libakeng tse sebelisang tsela ea ho lefa ea Sage Pay.
Lethathamo la litokomane tsa liheke tse fapaneng tsa tefo
Script | Tefo monyako |
---|---|
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//request.payrightnow[.]cf/alldata.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//request.payrightnow[.]cf/alldata.php |
|
//cdn.illum[.]pw/records.php |
|
//cdn.illum[.]pw/records.php |
|
//request.payrightnow[.]cf/checkpayment.php |
|
//cdn.illum[.]pw/records.php |
//request.payrightnow[.]cf/checkpayment.php | |
|
//cdn.illum[.]pw/records.php |
//payrightnow[.]cf/?payment= | |
|
//payrightnow[.]cf/?payment= |
|
//paymentnow[.]tk/?tefo= |
Moamoheli paynow[.]tk, e sebelisoang joalo ka heke ea mongolo pay_forminsite.js, e ile ea sibolloa e le subjectAltName litifikeiting tse 'maloa tse amanang le tšebeletso ea CloudFlare. Ho phaella moo, moamoheli o ne a e-na le mongolo bobe.js. Ho latela lebitso la sengoloa, e ka sebelisoa e le karolo ea ts'ebeliso ea CVE-2016-4010, ka lebaka leo ho ka khonehang ho kenya khoutu e mpe karolong e ka tlase ea sebaka se tsamaisang CMS Magento. Moamoheli o sebelisitse mongolo ona joalo ka heke kopo.requestnet[.]tkho sebelisa setifikeiti se tšoanang le sa moamoheli paynow[.]tk.
Liforomo tsa ho lefa tsa bohata
Setšoantšo se ka tlase se bontša mohlala oa foromo ea ho kenya data ea karete. Foromo ena e ne e sebelisetsoa ho kenya lebenkeleng la Marang-rang le ho utsoa lintlha tsa karete.
Palo e latelang e bontša mohlala oa mokhoa oa ho lefa oa PayPal oa bohata o neng o sebelisoa ke bahlaseli ho kena liwebsaeteng ka mokhoa ona oa ho lefa.
Lisebelisuoa
Lebitso la Lebitso | Letsatsi la ho sibolloa/ho hlaha |
---|---|
cdn.illum.pw | 27/11/2016 |
records.nstatistics.com | 06/09/2018 |
kopo.payrightnow.cf | 25/05/2018 |
paynow.tk | 16/07/2017 |
pay-line.tk | 01/03/2018 |
paypal.cf | 04/09/2017 |
requestnet.tk | 28/06/2017 |
Lelapa la CoffeeMokko
Lelapa la CoffeMokko la liqhobane, le etselitsoeng ho utsoa likarete tsa banka ho basebelisi ba mabenkele a marang-rang, esale le sebelisoa ho tloha bonyane Motšeanong 2017. Ho ka etsahala hore ebe basebetsi ba lelapa lena la bosholu ke sehlopha sa linokoane sa 1, se hlalositsoeng ke litsebi tsa RiskIQ ka 2016. Liwebsaete tse tsamaisang li-CMS tse kang Magento, OpenCart, WordPress, osCommerce, le Shopify li ile tsa hlaseloa.
Kamoo CoffeMokko e kenngoa kateng ho khoutu ea lebenkele la marang-rang
Basebelisi ba lelapa lena ba theha li-sniffers tse ikhethang bakeng sa ts'oaetso e 'ngoe le e' ngoe: faele ea sniffer e fumaneha bukeng. Src kapa js ho seva sa bahlaseli. Kenyelletso ea khoutu ea sebaka sa marang-rang e etsoa ka sehokelo se tobileng ho motho ea monyebe.
Khoutu ea sniffer e tiisa mabitso a libaka tsa mefuta eo data e lokelang ho utsuoa ho eona. Motho ea sniffer o boetse o hlahloba hore na mosebelisi o leqepheng la ho lefa ka ho sheba lethathamo la mantsoe a bohlokoa ka aterese ea hajoale ea mosebelisi.
Liphetolelo tse ling tse sibolotsoeng tsa sniffer li ne li sa bonahale ebile li na le khoele e patiloeng eo ho eona ho neng ho bolokoa lisebelisoa tse ngata: e ne e e-na le mabitso a libaka tsa mefuta ea litsamaiso tse fapaneng tsa tefo, hammoho le aterese ea heke eo data e utsoitsoeng e lokelang ho romeloa ho eona.
Lintlha tsa tefo tse utsoitsoeng li rometsoe ho script ho seva sa bahlaseli tseleng /savePayment/index.php kapa /tr/index.php. Ho ka etsahala hore ebe mongolo ona o sebelisetsoa ho romela data ho tloha hekeng ho ea ho seva se seholo, se kopanyang lintlha tse tsoang ho bohle ba tsubang. Ho pata data e fetisitsoeng, tlhahisoleseling eohle ea tefo ea motho ea hlokofalitsoeng e patiloe ka mokhoa o sireletsehileng motheo64, ebe ho hlaha litlhaku tse ling tse ling tse ling:
- tlhaku "e" e nkeloa sebaka ke ":"
- letšoao la "w" le nkeloa sebaka ke "+"
- tlhaku "o" e nkeloa sebaka ke "%"
- tlhaku "d" e nkeloa sebaka ke "#"
- tlhaku "a" e nkeloa sebaka ke "-"
- letšoao "7" le nkeloa sebaka ke "^"
- tlhaku "h" e nkeloa sebaka ke "_"
- letšoao la "T" le nkeloa sebaka ke "@"
- sebopeho "0" se nkeloa sebaka ke "/"
- tlhaku "Y" e nkeloa sebaka ke "*"
Ka lebaka la litlhaku tse fetotsoeng tse kentsoeng ka tšebeliso motheo64 Lintlha li ke ke tsa hlalosoa ntle le ho fetola phetoho.
Sena ke kamoo sekhechana sa khoutu ea sniffer se sa kang sa hlalosoa se shebahala joang:
Tlhahlobo ea Meaho
Liphutuhong tsa pele, bahlaseli ba ngolisitse mabitso a marang-rang a tšoanang le a libaka tsa marang-rang tse molaong. Sebaka sa bona sa marang-rang se ka fapana le se nepahetseng ka letšoao le le leng kapa TLD e 'ngoe. Libaka tse ngolisitsoeng li ile tsa sebelisoa ho boloka khoutu ea monko, e leng sehokelo se kentsoeng khoutong ea lebenkele.
Sehlopha sena se boetse se sebelisa mabitso a marang-rang a hopotsang li-plugins tse tsebahalang tsa jQuery (slickjs[.]org bakeng sa libaka tse sebelisang plugin lebotho_js), litsela tsa ho lefa (sagecdn[.]org bakeng sa libaka tse sebelisang mokhoa oa ho lefa oa Sage Pay).
Hamorao, sehlopha se ile sa qala ho theha libaka tseo mabitso a tsona a neng a sa amane ho hang le sebaka sa lebenkele kapa sehlooho sa lebenkele.
Sebaka se seng le se seng se ne se tsamaisana le sebaka seo directory e entsoeng ho sona /js kapa / src. Lingoliloeng tsa Sniffer li ne li bolokoa bukeng ena: motho a le mong bakeng sa ts'oaetso e 'ngoe le e 'ngoe e ncha. Sniffer e ne e kenngoa khoutu ea sebaka sa marang-rang ka sehokelo se tobileng, empa maemong a sa tloaelehang, bahlaseli ba fetotse e 'ngoe ea lifaele tsa sebaka sa marang-rang mme ba ekelletsa khoutu e mpe ho eona.
Tlhahlobo ea Khoutu
Algorithm ea pele ea obfuscation
Mehlalang e meng e sibollotsoeng ea basomi ba lelapa lena, khoutu e ile ea hlakoloa 'me e na le data e patiloeng e hlokahalang hore motho ea sniffer a sebetse: haholo-holo, aterese ea heke ea sniffer, lethathamo la masimo a liforomo tsa tefo, 'me maemong a mang, khoutu ea fake. foromo ea tefo. Khoutung e ka hare ho ts'ebetso, lisebelisoa li ne li patiloe ho sebelisoa XOR ka senotlolo se ileng sa fetisoa joalo ka khang mabapi le mosebetsi o tšoanang.
Ka ho hlakola khoele ka senotlolo se loketseng, se ikhethang bakeng sa sampole ka 'ngoe, u ka fumana khoele e nang le likhoele tsohle ho tsoa ho khoutu ea sniffer e arohaneng le motho ea arohaneng.
Algorithm ea bobeli ea obfuscation
Mehlala ea morao-rao ea li-sniffers tsa lelapa lena, ho ile ha sebelisoa mokhoa o fapaneng oa obfuscation: tabeng ena, data e ne e patiloe ka mokhoa o ikemetseng oa algorithm. Khoele e nang le data e patiloeng e hlokahalang hore motho ea sniffer e sebetse e fetisitsoe e le khang ea tšebetso ea ho hlakola.
U sebelisa sebatli sa sebatli, u ka hlakola data e patiloeng, 'me u fumane lethathamo le nang le lisebelisoa tsa sniffer.
Khokahano ho litlhaselo tsa pele tsa MageCart
Nakong ea tlhahlobo ea e 'ngoe ea libaka tse sebelisoang ke sehlopha e le tsela ea ho bokella lintlha tse utsoitsoeng, ho ile ha fumanoa hore sebaka sena se na le lisebelisoa tsa bosholu ba likarete tsa mokitlane, tse tšoanang le tse sebelisoang ke Sehlopha sa 1, se seng sa lihlopha tsa pele.
Ho ile ha fumanoa lifaele tse peli ho batho ba bangata ba lelapa la CoffeMokko:
- mage.js — faele e nang le khoutu ea sniffer ea Sehlopha sa 1 e nang le aterese ea heke js-cdn.link
- mag.php - Sengoloa sa PHP se ikarabellang bakeng sa ho bokella data e utsoitsoeng ke motho ea sniffer
Litaba tsa faele ea mage.js
Ho ile ha boela ha etsoa qeto ea hore libaka tsa pele tse neng li sebelisoa ke sehlopha se ka morao ho lelapa la CoffeMokko la basomi li ngolisitsoe ka la 17 Motšeanong 2017:
- link-js[.] sehokelo
- info-js[.] sehokelo
- track-js[.] sehokelo
- mapa-js[.] sehokelo
- smart-js[.] sehokelo
Sebopeho sa mabitso ana a marang-rang se lumellana le mabitso a marang-rang a Sehlopha sa 1 a sebelisitsoeng litlhaselong tsa 2016.
Ho ipapisitsoe le lintlha tse fumanoeng, ho ka nahanoa hore ho na le khokahano lipakeng tsa basebelisi ba CoffeMokko sniffers le sehlopha sa linokoane sa Sehlopha sa 1. Mohlomong, basebetsi ba CoffeMokko ba ka be ba alimile lisebelisoa le software ho ba pele ho bona ho utsoa likarete. Leha ho le joalo, ho na le monyetla oa hore sehlopha sa linokoane se entseng hore ho sebelisoe lelapa la CoffeMokko la batho ba tsubang ke batho ba tšoanang ba entseng litlhaselo tsa Sehlopha sa 1. Ka mor'a ho phatlalatsoa ha tlaleho ea pele ea liketso tsa sehlopha sa linokoane, mabitso a bona kaofela a ne a le teng. e thibetsoe 'me lisebelisoa li ile tsa ithutoa ka botlalo le ho hlalosoa. Sehlopha se ile sa qobelloa ho nka khefu, ho ntlafatsa lisebelisoa tsa sona tsa ka hare le ho ngola khoutu ea sniffer bocha e le hore se tsoele pele litlhaselo tsa sona 'me se lule se sa lemohuoe.
Lisebelisuoa
Lebitso la Lebitso | Letsatsi la ho sibolloa/ho hlaha |
---|---|
link-js.link | 17.05.2017 |
info-js.link | 17.05.2017 |
track-js.link | 17.05.2017 |
mapa-js.link | 17.05.2017 |
smart-js.link | 17.05.2017 |
adorebeauty.org | 03.09.2017 |
tshireletso-tefello.su | 03.09.2017 |
braincdn.org | 04.09.2017 |
sagecdn.org | 04.09.2017 |
slickjs.org | 04.09.2017 |
oakandfort.org | 10.09.2017 |
citywnery.org | 15.09.2017 |
dobell.su | 04.10.2017 |
childrensplayclothing.org | 31.10.2017 |
jewsondirect.com | 05.11.2017 |
shop-rnib.org | 15.11.2017 |
closetlondon.org | 16.11.2017 |
misshaus.org | 28.11.2017 |
battery-force.org | 01.12.2017 |
kik-vape.org | 01.12.2017 |
greatfurnituretradingco.org | 02.12.2017 |
etradesupply.org | 04.12.2017 |
replacemyremote.org | 04.12.2017 |
all-about-sneakers.org | 05.12.2017 |
mage-checkout.org | 05.12.2017 |
nililotan.org | 07.12.2017 |
lamoodbighat.net | 08.12.2017 |
walletgear.org | 10.12.2017 |
dahlie.org | 12.12.2017 |
davidsfootwear.org | 20.12.2017 |
blackriverrimaging.org | 23.12.2017 |
exrpesso.org | 02.01.2018 |
liphaka.su | 09.01.2018 |
pmtonline.su | 12.01.2018 |
otocap.org | 15.01.2018 |
christohperward.org | 27.01.2018 |
coffeetea.org | 31.01.2018 |
energycoffe.org | 31.01.2018 |
energytea.org | 31.01.2018 |
teacoffe.net | 31.01.2018 |
adaptivecss.org | 01.03.2018 |
coffemokko.com | 01.03.2018 |
londontea.net | 01.03.2018 |
ukcoffe.com | 01.03.2018 |
labbe.biz | 20.03.2018 |
batterynart.com | 03.04.2018 |
btsports.net | 09.04.2018 |
chicksaddlery.net | 16.04.2018 |
paypay.org | 11.05.2018 |
ar500arnor.com | 26.05.2018 |
authorizecdn.com | 28.05.2018 |
slickmin.com | 28.05.2018 |
bannerbuzz.info | 03.06.2018 |
kandypens.net | 08.06.2018 |
mylrendyphone.com | 15.06.2018 |
freshchat.info | 01.07.2018 |
3lift.org | 02.07.2018 |
abtasty.net | 02.07.2018 |
mechat.info | 02.07.2018 |
zoplm.com | 02.07.2018 |
zapaljs.com | 02.09.2018 |
foodandcot.com | 15.09.2018 |
freshdepor.com | 15.09.2018 |
swappastore.com | 15.09.2018 |
verywellfitnesse.com | 15.09.2018 |
elegrina.com | 18.11.2018 |
majsurplus.com | 19.11.2018 |
top5value.com | 19.11.2018 |
Source: www.habr.com