Phantse sonke sisebenzisa iinkonzo zeevenkile ze-intanethi, oku kuthetha ukuba ngokukhawuleza okanye kamva sibeka umngcipheko wokuba lixhoba le-JavaScript sniffers - ikhowudi ekhethekileyo abahlaseli abaphumeza ngayo kwiwebhusayithi ukuba idatha yekhadi lebhanki, iidilesi, ukungena kunye neephasiwedi zabasebenzisi. .
Bamalunga nama-400 abasebenzisi bewebhusayithi yeBritish Airways kunye nesicelo esiphathwayo sele bachatshazelwe ngabantu abarhafayo, kunye neendwendwe kwiwebhusayithi yaseBritane yesigebenga sezemidlalo iFILA kunye nomsasazi wamatikiti waseMelika iTicketmaster. I-PayPal, i-Chase Paymenttech, i-USAePay, i-Moneris - ezi kunye nezinye iinkqubo ezininzi zokuhlawula zosulelekile.
I-Threat Intelligence Group-IB umhlalutyi uViktor Okorokov uthetha malunga nendlela abathuki abangena ngayo ikhowudi yewebhusayithi kwaye beba ulwazi lwentlawulo, kunye nokuba yeyiphi iCRM abayihlaselayo.
"Isisongelo esifihliweyo"
Kwenzekile ukuba ixesha elide i-JS sniffers yahlala ingabonakali kubahlalutyi be-anti-virus, kwaye iibhanki kunye neenkqubo zokuhlawula azizange zibone njengengozi enkulu. Kwaye ngokupheleleyo ngelize. Iingcali zeQela-IB Iivenkile ezingama-2440 ezosulelekileyo kwi-Intanethi, iindwendwe zazo - zizonke zabantu abamalunga ne-1,5 yesigidi ngosuku - babesemngciphekweni wokulalanisa. Phakathi kwamaxhoba akubona abasebenzisi kuphela, kodwa nakwiivenkile ze-intanethi, iinkqubo zokuhlawula kunye neebhanki ezikhuphe amakhadi aphazamisekile.
Iqela le-IB laba sisifundo sokuqala semakethi ye-darknet yabantu abanukayo, iziseko zabo kunye neendlela zokwenza imali, ezisa abadali babo izigidi zeedola. Sichonge iintsapho ezingama-38 zabanuki, apho zazili-12 kuphela ezaziwa ngaphambili ngabaphandi.
Makhe sihlale banzi kwiintsapho ezine zabaphunga ezifundwe ngexesha lokufunda.
ReactGet Family
I-Sniffers yosapho lwe-ReactGet isetyenziselwa ukubiwa idatha yekhadi lebhanki kwiindawo zokuthenga kwi-intanethi. I-sniffer ingasebenza kunye nenani elikhulu leenkqubo ezahlukeneyo zokuhlawula ezisetyenziswa kwisiza: ixabiso leparameter enye ihambelana nenkqubo yokuhlawula enye, kunye neenguqulelo ezichongiweyo zomntu ngamnye zingasetyenziselwa ukuba iziqinisekiso, kunye nokuba idatha yekhadi lebhanki kwintlawulo. Iifomu zeenkqubo ezininzi zokuhlawula ngaxeshanye, ezifana nebizwa ngokuba yi-universal sniffer. Kwafunyaniswa ukuba kwezinye iimeko, abahlaseli baqhuba ukuhlaselwa kwe-phishing kubalawuli beevenkile ze-intanethi ukuze bafumane ukufikelela kwiphaneli yolawulo lwesayithi.
Iphulo elisebenzisa olu sapho lwabaqhubi laqala ngoMeyi ka-2017; iisayithi eziqhuba iCMS kunye neMagento, iBigcommerce, kunye namaqonga akwaShopify ahlaselwa.
Iphunyezwa njani iReactGet kwikhowudi yevenkile ekwi-intanethi
Ukongeza kwi-"classic" yokuphunyezwa kweskripthi ngekhonkco, abaqhubi bentsapho ye-ReactGet ye-sniffers basebenzisa ubuchule obukhethekileyo: usebenzisa ikhowudi yeJavaScript, bahlola ukuba idilesi yangoku apho umsebenzisi ekhoyo ihlangabezana nemilinganiselo ethile. Ikhowudi engalunganga iya kuphunyezwa kuphela ukuba umtya osezantsi ukhona kwi-URL yangoku phuma okanye Inyathelo elinye lokuphuma, iphepha elinye/, ngaphandle/iphepha elinye, ukuphuma/enye, ukuphuma/enye. Ngaloo ndlela, ikhowudi ye-sniffer iya kuphunyezwa kanye ngelo xesha xa umsebenzisi eqhubeka nokuhlawula ukuthenga kwaye afake ulwazi lokuhlawula kwifom kwisayithi.
Le sniffer isebenzisa ubuchule obungekho mgangathweni. Intlawulo yexhoba kunye neenkcukacha zobuqu ziqokelelwa kunye kwaye zifakwe ngekhowudi kusetyenziswa isiseko64, kwaye ke umtya obangelwayo usetyenziswa njengeparameter ukuthumela isicelo kwiwebhusayithi yabahlaseli. Ngokuqhelekileyo, indlela eya esangweni ixelisa ifayile yeJavaScript, umzekelo impendulo.js, idatha.js njalo njalo, kodwa amakhonkco kwiifayile zemifanekiso nazo ziyasetyenziswa, GIF и JPG. Into engaqhelekanga kukuba i-sniffer yenza into yomfanekiso enomlinganiselo we-1 nge-pixel e-1 kwaye isebenzisa ikhonkco elifunyenwe ngaphambili njengeparameter. src Imifanekiso. Oko kukuthi, kumsebenzisi isicelo esinjalo kwitrafikhi siya kujongeka njengesicelo somfanekiso oqhelekileyo. Ubuchule obufanayo busetyenziswe kusapho lwe-ImageID yabaqhubi. Ukongeza, ubuchule bokusebenzisa umfanekiso we-pixel ka-1 nge-1 busetyenziswa kwizikripthi ezininzi ezisemthethweni zohlalutyo lwe-intanethi, ezinokuthi zilahlekise umsebenzisi.
Uhlalutyo lwenguqulelo
Uhlalutyo lwemimandla esebenzayo esetyenziswa ngabaqhubi be-ReactGet sniffer luveze iinguqulelo ezininzi ezahlukeneyo zolu sapho lwabarhafi. Iinguqulelo ziyahluka kubukho okanye ukungabikho kwe-obfuscation, kwaye ukongezelela, i-sniffer nganye yenzelwe inkqubo ethile yokuhlawula eqhuba iintlawulo zekhadi lebhanki kwiivenkile ze-intanethi. Emva kokuhlelwa ngexabiso leparameter ehambelana nenombolo yoguqulelo, iingcali zeQela-IB zifumene uluhlu olupheleleyo lweenguqu ezikhoyo ze-sniffer, kwaye ngamagama eefom zefom ezijonga i-sniffer nganye kwikhowudi yephepha, zichonge iinkqubo zokuhlawula. lowo umphunga ujolise kuyo.
Uluhlu lwabarhoxileyo kunye neenkqubo zabo zokuhlawula ezihambelanayo
| I-URL ye-sniffer | Inkqubo yokuhlawula |
|---|---|
| Gunyazisa.Net | |
| Ugcino lwekhadi | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| eWAY Rapid | |
| Gunyazisa.Net | |
| Adyen | |
| USAePay | |
| Gunyazisa.Net | |
| USAePay | |
| Gunyazisa.Net | |
| Moneris | |
| USAePay | |
| PayPal | |
| SagePay | |
| Verisign | |
| PayPal | |
| ngombala | |
| Realex | |
| PayPal | |
| IkhonkcoPoint | |
| PayPal | |
| PayPal | |
| DataCash | |
| PayPal | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Verisign | |
| Gunyazisa.Net | |
| Moneris | |
| SagePay | |
| USAePay | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| ANZ eGate | |
| Gunyazisa.Net | |
| Moneris | |
| SagePay | |
| SagePay | |
| Chase Paymentech | |
| Gunyazisa.Net | |
| Adyen | |
| PsiGate | |
| Umthombo weCyber | |
| ANZ eGate | |
| Realex | |
| USAePay | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| ANZ eGate | |
| PayPal | |
| PayPal | |
| Realex | |
| SagePay | |
| PayPal | |
| Verisign | |
| Gunyazisa.Net | |
| Verisign | |
| Gunyazisa.Net | |
| ANZ eGate | |
| PayPal | |
| Umthombo weCyber | |
| Gunyazisa.Net | |
| SagePay | |
| Realex | |
| Umthombo weCyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Rapid | |
| SagePay | |
| SagePay | |
| Verisign | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| ISango lokuqala leDatha yeHlabathi | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Moneris | |
| Gunyazisa.Net | |
| PayPal | |
| Verisign | |
| USAePay | |
| USAePay | |
| Gunyazisa.Net | |
| Verisign | |
| PayPal | |
| Gunyazisa.Net | |
| ngombala | |
| Gunyazisa.Net | |
| eWAY Rapid | |
| SagePay | |
| Gunyazisa.Net | |
| IBraintree | |
| IBraintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Gunyazisa.Net | |
| PayPal | |
| Gunyazisa.Net | |
| Verisign | |
| PayPal | |
| Gunyazisa.Net | |
| ngombala | |
| Gunyazisa.Net | |
| eWAY Rapid | |
| SagePay | |
| Gunyazisa.Net | |
| IBraintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Gunyazisa.Net | |
| PayPal | |
| Gunyazisa.Net | |
| Verisign | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| SagePay | |
| SagePay | |
| Westpac PayWay | |
| PayFort | |
| PayPal | |
| Gunyazisa.Net | |
| ngombala | |
| ISango lokuqala leDatha yeHlabathi | |
| PsiGate | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Moneris | |
| Gunyazisa.Net | |
| SagePay | |
| Verisign | |
| Moneris | |
| PayPal | |
| IkhonkcoPoint | |
| Westpac PayWay | |
| Gunyazisa.Net | |
| Moneris | |
| PayPal | |
| Adyen | |
| PayPal | |
| Gunyazisa.Net | |
| USAePay | |
| EBizCharge | |
| Gunyazisa.Net | |
| Verisign | |
| Verisign | |
| Gunyazisa.Net | |
| PayPal | |
| Moneris | |
| Gunyazisa.Net | |
| PayPal | |
| PayPal | |
| Westpac PayWay | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| SagePay | |
| Verisign | |
| Gunyazisa.Net | |
| PayPal | |
| PayFort | |
| Umthombo weCyber | |
| PayPal Payflow Pro | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Verisign | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| SagePay | |
| Gunyazisa.Net | |
| ngombala | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Verisign | |
| PayPal | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| SagePay | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| PayPal | |
| lenyengane | |
| PayPal | |
| SagePay | |
| Verisign | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| ngombala | |
| IQwarha elityebileyo | |
| SagePay | |
| Gunyazisa.Net | |
| ISango lokuqala leDatha yeHlabathi | |
| Gunyazisa.Net | |
| eWAY Rapid | |
| Adyen | |
| PayPal | |
| Iinkonzo zoRhwebo eziKhawulezayo | |
| Verisign | |
| SagePay | |
| Verisign | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| SagePay | |
| Gunyazisa.Net | |
| eWAY Rapid | |
| Gunyazisa.Net | |
| ANZ eGate | |
| PayPal | |
| Umthombo weCyber | |
| Gunyazisa.Net | |
| SagePay | |
| Realex | |
| Umthombo weCyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Rapid | |
| SagePay | |
| SagePay | |
| Verisign | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| ISango lokuqala leDatha yeHlabathi | |
| Gunyazisa.Net | |
| Gunyazisa.Net | |
| Moneris | |
| Gunyazisa.Net | |
| PayPal |
I-password sniffer
Enye yeenzuzo ze-JavaScript sniffers ezisebenza kwicala lomxhasi wewebhusayithi kukuguquguquka kwazo: ikhowudi ekhohlakeleyo efakwe kwiwebhusayithi inokuba naluphi na uhlobo lwedatha, nokuba yidatha yentlawulo okanye ukungena kunye negama lokugqitha leakhawunti yomsebenzisi. Iingcali zeQela-IB zifumene isampulu yomntu ofuzelayo wosapho lweReactGet, eyilelwe ukuba iidilesi ze-imeyile kunye namagama ayimfihlo abasebenzisi besayithi.
Ukudibana ne-ImageID yesinifa
Ngethuba lokuhlalutya enye yeevenkile ezosulelekileyo, kwafunyaniswa ukuba indawo yayo yasuleleka kabini: ngaphezu kwekhowudi ekhohlakeleyo ye-ReactGet yosapho sniffer, ikhowudi ye-ImageID yosapho sniffer yafunyanwa. Oku kuthungelana kusenokuba bubungqina bokuba abaqhubi abasemva kwabo bobabini abarhayi basebenzisa iindlela ezifanayo ukutofa ikhowudi ekhohlakeleyo.
I-Universal sniffer
Uhlalutyo lwelinye lamagama e-domain ahambelana ne-ReactGet sniffer infrastructure lubonise ukuba umsebenzisi ofanayo ubhalise amanye amagama amathathu esizinda. Le mimandla mithathu ilinganisa imimandla yeewebhusayithi zobomi bokwenyani kwaye ngaphambili yayisetyenziselwa ukusingatha i-sniffers. Xa uhlalutya ikhowudi yeendawo ezintathu ezisemthethweni, i-sniffer engaziwayo yafunyanwa, kwaye uhlalutyo olongezelelweyo lubonise ukuba yinguqu ephuculweyo ye-ReactGet sniffer. Zonke iinguqulelo ezibekwe esweni ngaphambili zale ntsapho ye-sniffers zijoliswe kwinkqubo yokuhlawula enye, oko kukuthi, inkqubo yokuhlawula nganye ifuna inguqu ekhethekileyo ye-sniffer. Nangona kunjalo, kulo mzekelo, inguqu yendalo yonke ye-sniffer yafunyanwa ekwazi ukuba ulwazi kwiifom ezinxulumene ne-15 yeenkqubo ezahlukeneyo zokuhlawula kunye neemodyuli zeendawo ze-e-commerce zokwenza iintlawulo ze-intanethi.
Ngoko ke, ekuqaleni komsebenzi, i-sniffer yafuna amasimi efom esisiseko equlethe ulwazi lomntu wexhoba: igama elipheleleyo, idilesi yendawo, inombolo yefowuni.
I-sniffer emva koko yakhangela ngaphezulu kwe-15 ye-prefixes eyahlukeneyo ehambelana neenkqubo ezahlukeneyo zokuhlawula kunye neemodyuli zokuhlawula kwi-intanethi.
Emva koko, idatha yomntu wexhoba kunye nolwazi lwentlawulo luqokelelwe kunye kwaye luthunyelwe kwindawo elawulwa ngumhlaseli: kulo mzekelo, iinguqulelo ezimbini ze-universal ReactGet sniffer zifunyenwe, ezibekwe kwiindawo ezimbini ezahlukeneyo eziqhekekileyo. Nangona kunjalo, zombini iinguqulelo zithumele idatha ebiweyo kwindawo enye egqekeziweyo zoobashop.com.
Ucazululo lwezimaphambili ezisetyenziswe ngumjongi ukukhangela amabala aqulethe ulwazi lwentlawulo yexhoba lusivumele ukuba sigqibe kwelokuba le sampulu yesniffer ijolise kwezi nkqubo zentlawulo zilandelayo:
- Gunyazisa.Net
- Verisign
- Idatha yokuqala
- USAePay
- ngombala
- PayPal
- ANZ eGate
- IBraintree
- I-DataCash (MasterCard)
- Iintlawulo ze-Realex
- PsiGate
- IiNkqubo zeNtlawulo yeNtlawulo
Zeziphi izixhobo ezisetyenziselwa ukubiwa ulwazi lwentlawulo?
Isixhobo sokuqala, esifunyenwe ngexesha lokuhlalutya iziseko zabahlaseli, sisetyenziselwa ukufihla izikripthi ezinobungozi ezijongene nokubiwa kwamakhadi ebhanki. Isikripthi se-bash sisebenzisa i-CLI yeprojekthi yafunyanwa komnye wabahlaseli ukwenza i-obfuscation yekhowudi yesniffer ngokuzenzekelayo.
Isixhobo sesibini esifunyenweyo senzelwe ukuvelisa ikhowudi enoxanduva lokulayisha i-sniffer ephambili. Esi sixhobo senza ikhowudi yeJavaScript ejonga ukuba ngaba umsebenzisi ukwiphepha lentlawulo ngokukhangela idilesi yangoku yomsebenzisi yeentambo. phuma, inqwelana njalo njalo, kwaye ukuba isiphumo silungile, ke ikhowudi ilayisha i-sniffer ephambili evela kumncedisi wabahlaseli. Ukufihla umsebenzi okhohlakeleyo, yonke imigca, kubandakanywa imigca yokuvavanya ukumisela iphepha lokuhlawula, kunye nekhonkco kwi-sniffer, ifakwe ngekhowudi usebenzisa. isiseko64.
Uhlaselo lobutsotsi
Uhlalutyo lweziseko zonxibelelwano zabahlaseli lubonise ukuba iqela lolwaphulo-mthetho lihlala lisebenzisa i-phishing ukuze lifikelele kwiphaneli yolawulo yevenkile ekujoliswe kuyo kwi-intanethi. Abahlaseli babhalisa i-domain ebonakala ifana nedomeyini yevenkile, kwaye emva koko basebenzise ifom yokungena yolawulo ye-Magento yobuxoki kuyo. Ukuba uphumelele, abahlaseli baya kufumana ukufikelela kwiphaneli yolawulo ye-Magento CMS, ebanika ithuba lokuhlela amacandelo ewebhusayithi kunye nokuphumeza i-sniffer ukuba idatha yekhadi lekhredithi.
Izibonelelo
| Indawo | Umhla wokufunyanwa/imbonakalo |
|---|---|
| mediapack.info | 04.05.2017 |
| adsgetapi.com | 15.06.2017 |
| simcounter.com | 14.08.2017 |
| mageanalytics.com | 22.12.2017 |
| maxstatics.com | 16.01.2018 |
| reactjsapi.com | 19.01.2018 |
| mxcounter.com | 02.02.2018 |
| apittatus.com | 01.03.2018 |
| orderracker.com | 20.04.2018 |
| tagstracking.com | 25.06.2018 |
| adsapigate.com | 12.07.2018 |
| trust-tracker.com | 15.07.2018 |
| fbstatspartner.com | 02.10.2018 |
| billgetstatus.com | 12.10.2018 |
| www.aldenmlilhouse.com | 20.10.2018 |
| balletbeautlful.com | 20.10.2018 |
| bargalnjunkie.com | 20.10.2018 |
| payselector.com | 21.10.2018 |
| tagsmediaget.com | 02.11.2018 |
| hs-payments.com | 16.11.2018 |
| ordercheckpays.com | 19.11.2018 |
| geissee.com | 24.11.2018 |
| gtmproc.com | 29.11.2018 |
| livegetpay.com | 18.12.2018 |
| sydneysalonsupplies.com | 18.12.2018 |
| newrelicnet.com | 19.12.2018 |
| nr-public.com | 03.01.2019 |
| cloudodesc.com | 04.01.2019 |
| ajaxstatic.com | 11.01.2019 |
| livecheckpay.com | 21.01.2019 |
| asianfoodgracer.com | 25.01.2019 |
G-Analytics Family
Olu sapho lwabarhafi lusetyenziselwa ukuba amakhadi abathengi kwiivenkile ze-intanethi. Igama lokuqala lesizinda elisetyenziswe liqela labhaliswa ngo-Ephreli 2016, elinokuthi libonise ukuba iqela laqala umsebenzi phakathi kwe-2016.
Kwiphulo langoku, iqela lisebenzisa amagama e-domain alingisa iinkonzo zobomi bokwenyani, ezifana ne-Google Analytics kunye ne-jQuery, ukufihla umsebenzi we-sniffers kunye nemibhalo esemthethweni kunye namagama esizinda afana nalawo asemthethweni. Iindawo eziqhuba iMagento CMS zahlaselwa.
Indlela i-G-Analytics iphunyezwa ngayo kwikhowudi yevenkile ye-intanethi
Uphawu olwahlukileyo kolu sapho kukusetyenziswa kweendlela ezahlukeneyo ukuze kubiwe ulwazi lwentlawulo yomsebenzisi. Ukongeza kwinaliti yakudala yekhowudi yeJavaScript kwicala lomxumi wesiza, iqela lolwaphulo-mthetho likwasebenzise iindlela zokutofa ikhowudi kwicala leseva lesiza, ezizezi izikripthi ze-PHP ezisebenza idatha efakwe ngumsebenzisi. Obu buchule buyingozi kuba benza kube nzima kubaphandi beqela lesithathu ukubona ikhowudi engalunganga. Iingcali zeQela-IB zifumene inguqulelo ye-sniffer efakwe kwikhowudi ye-PHP yendawo, isebenzisa isizinda njengesango. dittm.org.
Kwafunyaniswa inguqulelo yokuqala yomntu osnifa esebenzisa indawo efanayo ukuqokelela idatha ebiweyo dittm.org, kodwa le nguqulo yenzelwe ukufakela kwicala lomxhasi wevenkile ekwi-intanethi.
Iqela kamva latshintsha amaqhinga alo kwaye laqala ukugxila ngakumbi ekufihleni izenzo ezikhohlakeleyo kunye nokuzifihla.
Ekuqaleni kwe-2017, iqela laqala ukusebenzisa i-domain jquery-js.com, izenza iCDN yejQuery: xa usiya kwindawo yabahlaseli, umsebenzisi uphinda aqondiswe kwindawo esemthethweni. jquery.com.
Kwaye phakathi kwe-2018, iqela lamkela igama lesizinda g-analytics.com kwaye yaqala ukufihla imisebenzi ye-sniffer njengenkonzo ye-Google Analytics esemthethweni.
Uhlalutyo lwenguqulelo
Ngethuba lokuhlalutya imimandla esetyenziselwa ukugcina ikhowudi ye-sniffer, kwafunyaniswa ukuba isayithi iqulethe inani elikhulu leenguqulelo, ezihluke kubukho be-obfuscation, kunye nobukho okanye ukungabikho kwekhowudi engafumanekiyo eyongeziweyo kwifayile ukuphazamisa ingqalelo. kwaye ufihle ikhowudi ekhohlakeleyo.
Iyonke kwindawo leyo jquery-js.com Iinguqulelo ezintandathu zabarhafi zachongwa. Aba barhafi bathumela idatha ebiweyo kwidilesi ekwiwebhusayithi enye njengoko umntu orholayo ngokwakhe: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Ummandla wamva g-analytics.com, isetyenziswe liqela ekuhlaselweni ukususela phakathi kwe-2018, isebenza njengendawo yokugcina abantu abaninzi. Zizonke, iinguqulelo ezahlukeneyo ze-16 ze-sniffer zafunyanwa. Kule meko, isango lokuthumela idatha ebiweyo liguqulwe njengekhonkco kwifomathi yomfanekiso GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Ukwenza imali ngedatha ebiweyo
Iqela lolwaphulo-mthetho lenza imali ngedatha ebiweyo ngokuthengisa amakhadi ngevenkile ephantsi komhlaba eyenziwe ngokukodwa ebonelela ngeenkonzo kumakhadi. Uhlalutyo lweendawo ezisetyenziswa ngabahlaseli zisivumele ukuba sigqibe oko google-analytics.cm ibhaliswe ngumsebenzisi ofanayo nommandla ikhadiz.vc. Domain ikhadiz.vc ibhekisela kwivenkile ethengisa amakhadi ebhanki abiweyo I-Cardsurfs (i-Flysurfs), eyafumana ukuthandwa emva kwimihla yomsebenzi weqonga lokuthengisa eliphantsi komhlaba i-AlphaBay njengevenkile ethengisa amakhadi ebhanki abiwe usebenzisa i-sniffer.
Ukuhlalutya isizinda uhlalutyo.is, ebekwe kwiseva efanayo njengemimandla esetyenziswa ngabarhafi ukuqokelela idatha ebiweyo, iingcali zeQela le-IB zifumene ifayile equlethe iinkuki ezibiweyo, ekubonakala ukuba kamva iye yashiywa ngumphuhlisi. Elinye lamangeno kwilog liqulathe ithambeka iozoz.com, eyayisetyenziswa ngaphambili kwenye ye-sniffers esebenzayo kwi-2016. Kucingelwa ukuba, lo mmandla wawusetyenziswa ngaphambili ngumhlaseli ukuqokelela amakhadi abiweyo esebenzisa i-sniffer. Lo mmandla ubhaliswe kwidilesi ye-imeyile [imeyile ikhuselwe], eyayikwasetyenziselwa ukubhalisa imimandla ikhadiz.su и ikhadiz.vc, ezinxulumene nevenkile yamakhadi Cardsurfs.
Ngokusekelwe kwidatha efunyenweyo, kunokucingelwa ukuba intsapho ye-G-Analytics ye-sniffers kunye nevenkile engaphantsi komhlaba ethengisa amakhadi ebhanki I-Cardsurfs ilawulwa ngabantu abafanayo, kwaye ivenkile isetyenziselwa ukuthengisa amakhadi ebhanki abiwe usebenzisa i-sniffer.
Izibonelelo
| Indawo | Umhla wokufunyanwa/imbonakalo |
|---|---|
| iozoz.com | 08.04.2016 |
| dittm.org | 10.09.2016 |
| jquery-js.com | 02.01.2017 |
| g-analytics.com | 31.05.2018 |
| google-analytics.is | 21.11.2018 |
| uhlalutyo.to | 04.12.2018 |
| google-analytics.to | 06.12.2018 |
| google-analytics.cm | 28.12.2018 |
| uhlalutyo.is | 28.12.2018 |
| igoogle-analytics.cm | 17.01.2019 |
Illum usapho
I-Illum lusapho lwabarhafi abasetyenziselwa ukuhlasela iivenkile ze-intanethi eziqhuba iMagento CMS. Ukongeza ekuziseni ikhowudi ekhohlakeleyo, abaqhubi beli sniffer baphinde basebenzise ukuqaliswa kweefom zokuhlawula ezipheleleyo ezithumela idatha kumasango alawulwa ngabahlaseli.
Xa uhlalutya iziseko zenethiwekhi ezisetyenziswa ngabaqhubi beli sniffer, inani elikhulu lemibhalo ekhohlakeleyo, ukuxhaphaza, iifom zokuhlawula umgunyathi, kunye nokuqokelela imizekelo kunye nabahlaseli abakhohlakeleyo abakhuphisana nabo. Ngokusekelwe kulwazi malunga nemihla yokubonakala kwamagama esizinda asetyenziswa liqela, kunokucingelwa ukuba iphulo laqala ekupheleni kwe2016.
Indlela i-Illum iphunyezwa ngayo kwikhowudi yevenkile ye-intanethi
Iinguqulelo zokuqala ze-sniffer ezifunyenweyo zifakwe ngqo kwikhowudi yesayithi elichithiweyo. Idatha ebiweyo ithunyelwe ku cdn.illum[.]pw/records.php, isango lafakwa ngekhowudi kusetyenziswa isiseko64.
Kamva, kwafunyanwa inguqulelo epakishweyo ye-sniffer esebenzisa isango elahlukileyo - iirekhodi.nstatistics[.]com/records.php.
Ngokutsho UWillem de Groot, umgcini-mamkeli ofanayo wasetyenziswa kwi-sniffer, eyathi yaphunyezwa , yeqela lezopolitiko laseJamani iCSU.
Uhlalutyo lwewebhusayithi yabahlaseli
Iingcali zeQela-IB zifumene zaza zahlalutya iwebhusayithi esetyenziswa leli qela lolwaphulo-mthetho ukugcina izixhobo kunye nokuqokelela ulwazi olubiweyo.
Phakathi kwezixhobo ezifunyenwe kumncedisi wabahlaseli kwakukho izikripthi kunye nokuxhaphaza amalungelo akhulayo kwi-Linux OS: umzekelo, i-Linux Privilege Escalation Check Script ephuhliswe nguMike Czumak, kunye nokuxhaphaza i-CVE-2009-1185.
Abahlaseli basebenzise izinto ezimbini zokuxhaphaza ngokuthe ngqo ukuhlasela iivenkile ze-intanethi: ekwaziyo ukufaka ikhowudi enobungozi core_config_data ngokusebenzisa i-CVE-2016-4010, ixhaphaza ubungozi be-RCE kwiiplagi ze-CMS Magento, ivumela ikhowudi engafanelekanga ukuba iqhutywe kumncedisi wewebhu osengozini.
Kwakhona, ngexesha lokuhlalutya umncedisi, iisampuli ezahlukeneyo ze-sniffers kunye neefom zokuhlawula ezikhohlisayo zifunyenwe, ezisetyenziswe ngabahlaseli ukuqokelela ulwazi lokuhlawula kwiindawo eziqhekekileyo. Njengoko unokubona kuluhlu olungezantsi, ezinye izikripthi zenziwe ngabanye kwisayithi nganye eqhekekileyo, ngelixa isisombululo sendalo yonke sisetyenziselwa i-CMS ethile kunye namasango okuhlawula. Ngokomzekelo, izikripthi segapay_standart.js и segapay_onpage.js eyenzelwe ukuphunyezwa kwiindawo ezisebenzisa isango lokuhlawula iSage Pay.
Uluhlu lweencwadi zeempendulo kwiisango ezahlukeneyo zentlawulo
| Ushicilelo | Isango lentlawulo |
|---|---|
| [.]pw/mjs_special/visiondirect.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/topdierenshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/tiendalenovo.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/pro-bolt.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/plae.co.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/ottolenghi.co.uk.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/oldtimecandy.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/mylook.ee.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/luluandsky.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/julep.com.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/gymcompany.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/grotekadoshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/fushi.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/fareastflora.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/compuindia.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs/segapay_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/segapay_onpage.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/replace_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs/all_inputs.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/add_inputs_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/magento/payment_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/magento/payment_redirect.js | //payrightnow[.]cf/?intlawulo= |
| [.]pw/magento/payment_redcrypt.js | //payrightnow[.]cf/?intlawulo= |
| [.]pw/magento/payment_forminsite.js | //paymentnow[.]tk/?intlawulo= |
Umgcini intlawulo ngoku[.]tk, isetyenziswe njengesango kwiscript pay_forminsite.js, yafunyanwa njenge subjectAltName kwizatifikethi ezininzi ezinxulumene nenkonzo ye-CloudFlare. Ukongeza, umphathi uqulethe iskripthi ububi.js. Ukuqwalasela igama leskripthi, sinokusetyenziswa njengenxalenye yokusetyenziswa kwe-CVE-2016-4010, ngenxa yokuba kunokwenzeka ukufaka ikhowudi enobungozi kwindawo engaphantsi kwendawo eqhuba iCMS Magento. Umamkeli usebenzise lo mbhalo njengesango isicelo.requestnet[.]tkusebenzisa isiqinisekiso esifanayo njengenginginya intlawulo ngoku[.]tk.
Iifomu zentlawulo zomgunyathi
Umfanekiso ongezantsi ubonisa umzekelo wefomu yokufaka idatha yekhadi. Le fomu yayisetyenziselwa ukungena kwivenkile ye-intanethi kwaye ibe idatha yekhadi.
Lo mzobo ulandelayo ubonisa umzekelo wefomu yentlawulo ye-PayPal yobuxoki eyayisetyenziswa ngabahlaseli ukungena kwiisayithi ngale ndlela yokuhlawula.
Izibonelelo
| Indawo | Umhla wokufunyanwa/imbonakalo |
|---|---|
| cdn.illum.pw | 27/11/2016 |
| Records.nstatistics.com | 06/09/2018 |
| isicelo.payrightnow.cf | 25/05/2018 |
| paynow.tk | 16/07/2017 |
| intlawulo-line.tk | 01/03/2018 |
| paypal.cf | 04/09/2017 |
| requestnet.tk | 28/06/2017 |
CoffeeMokko usapho
Usapho lwe-CoffeMokko lwabacuphi, eyenzelwe ukuba amakhadi ebhanki kubasebenzisi beevenkile ze-intanethi, sele isetyenziswa ukususela ubuncinane ngoMeyi ka-2017. Ngokuqinisekileyo, abaqhubi bale ntsapho ye-sniffers liqela lobugebengu Iqela le-1, elichazwe ziingcali ze-RiskIQ kwi-2016. IiSayithi eziqhuba iiCMS ezifana neMagento, OpenCart, WordPress, osCommerce, kunye neShopify zahlaselwa.
Iphunyezwa njani iCoffeMokko kwikhowudi yevenkile ye-intanethi
Abasebenzisi bolu sapho benza iziqhumiso ezizodwa zosulelo ngalunye: ifayile yesniffer ibekwe kulawulo. src okanye js kwiseva yabahlaseli. Ukufakwa kwikhowudi yesayithi kuqhutyelwa ngekhonkco elithe ngqo kwi-sniffer.
Ikhowudi ye-sniffer hardcodes amagama emimandla yeefom apho idatha kufuneka ibiwe. I-sniffer iphinda ihlole ukuba umsebenzisi kwiphepha lokuhlawula ngokujonga uluhlu lwamagama angundoqo kunye nedilesi yangoku yomsebenzisi.
Ezinye iinguqulelo ezifunyenweyo ze-sniffer zifihliwe kwaye ziqulethe umtya ofihliweyo apho uluhlu oluphambili lwezibonelelo lugcinwe khona: lunamagama eefom zemimandla yeendlela ezahlukeneyo zokuhlawula, kunye nedilesi yesango apho idatha ebiweyo kufuneka ithunyelwe khona.
Ulwazi lwentlawulo olubiweyo luthunyelwe kwiskripthi kwiseva yabahlaseli endleleni /savePayment/index.php okanye /tr/index.php. Mhlawumbi, le script isetyenziselwa ukuthumela idatha ukusuka kwisango ukuya kumncedisi oyintloko, odibanisa idatha evela kuzo zonke i-sniffers. Ukufihla idatha egqithisiweyo, lonke ulwazi lwentlawulo yexhoba lufihliwe ngokusetyenziswa isiseko64, kwaye emva koko utshintsho oluninzi lwenzeka:
- u-"e" endaweni ye-"e" endaweni ye-":"
- isimboli "w" endaweni yaso sithi "+"
- igama elithi "o" endaweni yalo lifakwe "%"
- uphawu u-"d" endaweni yalo u-"#"
- uphawu "a" endaweni yalo kufakwa "-"
- isimboli "7" endaweni yayo "^"
- umlinganiswa "h" endaweni yakhe u-"_"
- uphawu "T" endaweni yalo "@"
- uphawu "0" endaweni yalo lifakwe "/"
- uphawu u-"Y" endaweni yalo u-"*"
Njengesiphumo sokutshintshwa kweempawu ezifakwe ngekhowudi kusetyenziswa isiseko64 Idatha ayikwazi ukuchazwa ngaphandle kokuguqula umva.
Le yindlela iqhekeza lekhowudi yesniffer engakhange ifunyanwe ijongeka ngayo:
Uhlalutyo lweziseko zophuhliso
Kwimikhankaso yokuqala, abahlaseli babhalise amagama esizinda afana nalawo amaziko okuthenga asemthethweni kwi-Intanethi. I-domain yabo inokwahluka kwisimboli esinye okanye enye i-TLD. Imimandla ebhalisiweyo isetyenziselwe ukugcina ikhowudi yesniffer, ikhonkco elifakwe kwikhowudi yevenkile.
Eli qela likwasebenzise amagama edomeyini akhumbuza iiplagi ezidumileyo zejQuery (slickjs[.]org kwiisayithi ezisebenzisa i-plugin slick.js), amasango entlawulo (sagecdn[.]org kwiziza ezisebenzisa inkqubo yentlawulo yeSage Pay).
Kamva, iqela laqala ukudala imimandla amagama abo ayengenanto yakwenza nesizinda sevenkile okanye umxholo wevenkile.
Indawo nganye ihambelana nesiza apho uvimba weefayili wenziwa khona /js okanye /src. Izikripthi ze-sniffer zigcinwe kolu luhlu: i-sniffer enye yosulelo olutsha ngalunye. I-sniffer ifakwe kwikhowudi yewebhusayithi ngekhonkco elithe ngqo, kodwa kwiimeko ezinqabileyo, abahlaseli baguqule enye yeefayile zewebhusayithi kwaye bongeza ikhowudi ekhohlakeleyo kuyo.
Uhlalutyo lweKhowudi
I-algorithm yokuqala ye-obfuscation
Kwezinye iisampulu ezifunyenweyo zolu sapho, ikhowudi yayifihliwe kwaye iqulethe idatha efihliweyo eyimfuneko ukuze umntu ojongiweyo asebenze: ngakumbi, idilesi yesango le-sniffer, uluhlu lwemimandla yefom yentlawulo, kwaye kwezinye iimeko, ikhowudi yenkohliso. ifomu yentlawulo. Kwikhowudi engaphakathi komsebenzi, izibonelelo zifihliwe kusetyenziswa XOR ngesitshixo esigqithiswe njengengxoxo kumsebenzi omnye.
Ngokucofa umtya kunye nesitshixo esifanelekileyo, esikhethekileyo kwisampulu nganye, unokufumana umtya oqulethe zonke iintambo ukusuka kwikhowudi ye-sniffer eyahlulwe ngumlingiswa womhlukanisi.
Okwesibini obfuscation algorithm
Kwiisampulu zamva zabaseki bolu sapho, kwasetyenziswa indlela eyahlukileyo yokudibanisa i-obfuscation: kulo mzekelo, idatha ifihliweyo kusetyenziswa i-algorithm yokuzibhala. Umtya oqulethe idata efihliweyo eyimfuneko ukuze umjongi asebenze ugqithiselwe njengengxoxo kumsebenzi woguqulelo lwentsokolo.
Usebenzisa i-console yomkhangeli zincwadi, unokwenza uguqulelo oluntsonkothileyo lwedatha efihliweyo kwaye ufumane uluhlu oluqulathe izibonelelo zesniffer.
Uqhagamshelo kuhlaselo lokuqala lweMageCart
Ngethuba lokuhlalutya enye yemimandla esetyenziswa liqela njengesango lokuqokelela idatha ebiweyo, kwafunyaniswa ukuba le sizinda ibambe isiseko sobusela bekhadi letyala, elifana nelo lisetyenziswe yiQela loku-1, elinye lamaqela okuqala, ziingcali zeRiskIQ.
Iifayile ezimbini zifunyenwe kwinginginya yentsapho yaseCoffeMokko yabaqhubi:
- mage.js — ifayile enekhowudi yokusezela yeQela loku-1 enedilesi yesango js-cdn.link
- imag.php -Iskripthi se-PHP esinoxanduva lokuqokelela idatha ebiwe ngumjongi
Imixholo yefayile ye-mage.js
Kwaye kwaqinisekiswa ukuba iindawo zokuqala ezisetyenziswe liqela emva kosapho lwe-CoffeMokko lwabacuphi babhaliswa ngoMeyi 17, 2017:
- ikhonkco-js[.] ikhonkco
- ulwazi-js[.] ikhonkco
- umkhondo-js[.] ikhonkco
- imephu-js[.] ikhonkco
- i-smart-js[.] ikhonkco
Ifomati yala magama e-domain ihambelana namagama e-domain yeQela le-1 asetyenziswe kuhlaselo lwe-2016.
Ngokusekwe kwiinyani ezifunyenweyo, kunokucingelwa ukuba kukho unxibelelwano phakathi kwabaqhubi be-CoffeMokko sniffers kunye neqela lolwaphulo-mthetho iQela loku-1. Ngokuqinisekileyo, abaqhubi beCoffeMokko bebenokuboleka izixhobo kunye nesoftware kubanduleli babo ukuba babe amakhadi. Nangona kunjalo, kunokwenzeka ukuba iqela lolwaphulo-mthetho emva kokusetyenziswa kwentsapho yaseCoffeMokko yabahlaseli ngabantu abafanayo abaye benza ukuhlaselwa kweQela 1. Emva kokupapashwa kwengxelo yokuqala kwimisebenzi yeqela lolwaphulo-mthetho, onke amagama abo esizinda zivaliwe kwaye izixhobo zafundwa ngokweenkcukacha kwaye zichazwe. Iqela laphoqeleka ukuba lithathe ikhefu, licokise izixhobo zalo zangaphakathi kwaye libhale kwakhona ikhowudi ye-sniffer ukuze liqhubeke nokuhlasela kwaye lihlale lingabonwa.
Izibonelelo
| Indawo | Umhla wokufunyanwa/imbonakalo |
|---|---|
| ikhonkco-js.link | 17.05.2017 |
| info-js.link | 17.05.2017 |
| umkhondo-js.link | 17.05.2017 |
| imephu-js.link | 17.05.2017 |
| i-smart-js.link | 17.05.2017 |
| adorebeauty.org | 03.09.2017 |
| ukhuseleko-intlawulo.su | 03.09.2017 |
| braindn.org | 04.09.2017 |
| sagecdn.org | 04.09.2017 |
| slickjs.org | 04.09.2017 |
| oakandfort.org | 10.09.2017 |
| citywnery.org | 15.09.2017 |
| dobell.su | 04.10.2017 |
| abantwanasplayclothing.org | 31.10.2017 |
| jewsondirect.com | 05.11.2017 |
| shop-rnib.org | 15.11.2017 |
| closetlondon.org | 16.11.2017 |
| misshaus.org | 28.11.2017 |
| battery-force.org | 01.12.2017 |
| kik-vape.org | 01.12.2017 |
| greatfurnituretradingco.org | 02.12.2017 |
| etradesupply.org | 04.12.2017 |
| replacemyremote.org | 04.12.2017 |
| all-about-sneakers.org | 05.12.2017 |
| mage-checkout.org | 05.12.2017 |
| nililotan.org | 07.12.2017 |
| lamoodbighat.net | 08.12.2017 |
| walletgear.org | 10.12.2017 |
| dahlie.org | 12.12.2017 |
| davidsfootwear.org | 20.12.2017 |
| blackriverrimaging.org | 23.12.2017 |
| exrpesso.org | 02.01.2018 |
| iipaki.su | 09.01.2018 |
| pmtonline.su | 12.01.2018 |
| otocap.org | 15.01.2018 |
| christohperward.org | 27.01.2018 |
| coffeetea.org | 31.01.2018 |
| energycoffe.org | 31.01.2018 |
| energytea.org | 31.01.2018 |
| teacoffe.net | 31.01.2018 |
| adaptivecss.org | 01.03.2018 |
| coffemokko.com | 01.03.2018 |
| londontea.net | 01.03.2018 |
| ukcoffe.com | 01.03.2018 |
| labbe.biz | 20.03.2018 |
| batterynart.com | 03.04.2018 |
| btosports.net | 09.04.2018 |
| chicksaddlery.net | 16.04.2018 |
| paypaypay.org | 11.05.2018 |
| ar500arnor.com | 26.05.2018 |
| authorizecdn.com | 28.05.2018 |
| slickmin.com | 28.05.2018 |
| bannerbuzz.info | 03.06.2018 |
| kandypens.net | 08.06.2018 |
| mylrendyphone.com | 15.06.2018 |
| freshchat.info | 01.07.2018 |
| 3lift.org | 02.07.2018 |
| abtasty.net | 02.07.2018 |
| mechat.info | 02.07.2018 |
| zoplm.com | 02.07.2018 |
| zapaljs.com | 02.09.2018 |
| foodandcot.com | 15.09.2018 |
| freshdepor.com | 15.09.2018 |
| swappastore.com | 15.09.2018 |
| kakhuluwellfitnesse.com | 15.09.2018 |
| elegrina.com | 18.11.2018 |
| majsurplus.com | 19.11.2018 |
| top5value.com | 19.11.2018 |
umthombo: www.habr.com