O fẹrẹ jẹ pe gbogbo wa lo awọn iṣẹ ti awọn ile itaja ori ayelujara, eyiti o tumọ si pe laipẹ tabi ya a ni eewu lati di olufaragba ti JavaScript sniffers - koodu pataki kan ti awọn ikọlu wọ oju opo wẹẹbu kan lati ji data kaadi banki, awọn adirẹsi, awọn orukọ olumulo ati awọn ọrọ igbaniwọle. .
O fẹrẹ to awọn olumulo 400 ti oju opo wẹẹbu British Airways ati ohun elo alagbeka ti ni ipa tẹlẹ nipasẹ awọn apanirun, bakanna bi awọn alejo si oju opo wẹẹbu Ilu Gẹẹsi ti FILA agba ere idaraya ati olupin Ticketmaster tikẹti Amẹrika. PayPal, Chase Paymenttech, USAePay, Moneris - iwọnyi ati ọpọlọpọ awọn eto isanwo miiran ti ni akoran.
Irokeke Intelligence Group-IB Oluyanju Viktor Okorokov sọrọ nipa bi sniffers infiltrate aaye ayelujara koodu ki o si ji alaye sisan, bi daradara bi eyi ti CRMs ti won kolu.
"Irokeke ti o farasin"
O ṣẹlẹ pe fun igba pipẹ JS-sniffers wa ni oju ti awọn atunnkanka ọlọjẹ, ati awọn banki ati awọn eto isanwo ko rii wọn bi ewu nla. Ati ki o Egba ni asan. Ẹgbẹ-IB Amoye Awọn ile itaja ori ayelujara 2440 ti o ni akoran, ti awọn alejo rẹ - lapapọ ti eniyan miliọnu 1,5 ni ọjọ kan - wa ninu eewu ti adehun. Lara awọn olufaragba kii ṣe awọn olumulo nikan, ṣugbọn awọn ile itaja ori ayelujara, awọn eto isanwo ati awọn ile-ifowopamọ ti o funni ni awọn kaadi ti o gbogun.
Group-IB di akọkọ iwadi ti darknet oja ti sniffers, wọn amayederun ati awọn ọna ti monetization, kiko milionu ti dọla si wọn creators. A ṣe idanimọ awọn idile sniffer 38, eyiti 12 nikan ni a ti mọ tẹlẹ si awọn oniwadi.
Jẹ ki a gbe ni kikun lori awọn idile mẹrin ti sniffers ti a ṣe iwadi ni ọna ikẹkọ naa.
ReactGet ebi
Sniffers ti idile ReactGet ni a lo lati ji data kaadi banki lori awọn aaye rira ori ayelujara. Sniffer le ṣiṣẹ pẹlu nọmba nla ti awọn eto isanwo oriṣiriṣi ti a lo lori aaye naa: iye paramita kan ni ibamu si eto isanwo kan, ati pe awọn ẹya kọọkan ti a rii ti sniffer le ṣee lo lati ji awọn iwe-ẹri, ati lati ji data kaadi banki lati ọdọ awọn fọọmu isanwo ti awọn ọna ṣiṣe isanwo pupọ ni ẹẹkan, bii eyiti a pe ni sniffer agbaye. A rii pe ni awọn igba miiran, awọn ikọlu n ṣe ikọlu ararẹ lori awọn alabojuto ile itaja ori ayelujara lati le ni iraye si igbimọ iṣakoso aaye naa.
Ipolongo ti nlo idile ti awọn alarinrin bẹrẹ ni May 2017. Awọn aaye ti nṣiṣẹ CMS ati awọn iru ẹrọ Magento, Bigcommerce, Shopify ni a kolu.
Bawo ni ReactGet ti wa ni ifibọ ninu koodu ti ile itaja ori ayelujara kan
Ni afikun si abẹrẹ iwe afọwọkọ “Ayebaye” nipasẹ ọna asopọ, awọn oniṣẹ sniffer idile ReactGet lo ilana pataki kan: lilo koodu JavaScript, o ṣayẹwo boya adirẹsi lọwọlọwọ nibiti olumulo wa ni ibamu pẹlu awọn ibeere kan. Awọn koodu irira yoo ṣiṣẹ nikan ti URL ti o wa lọwọlọwọ ba ni okun-apakan kan ninu ṣayẹwo tabi isanwo igbese kan, oju-iwe kan/, jade/onepag, ayẹwo / ọkan, ckout / ọkan. Nitorinaa, koodu sniffer yoo ṣiṣẹ ni deede ni akoko ti olumulo n tẹsiwaju lati sanwo fun awọn rira ati tẹ alaye isanwo sinu fọọmu lori aaye naa.
Yi sniffer nlo ilana ti kii ṣe deede. Owo sisan ati data ti ara ẹni ti olufaragba ni a gba papọ, ti fi koodu sii nipa lilo ipilẹ64, ati lẹhinna okun ti o yọrisi jẹ lilo bi paramita lati fi ibeere ranṣẹ si aaye irira naa. Ni ọpọlọpọ igba, ọna si ẹnu-ọna ṣe afarawe faili JavaScript kan, fun apẹẹrẹ resp.js, data.js ati bẹbẹ lọ, ṣugbọn awọn ọna asopọ si awọn faili aworan tun lo, GIF и JPG. Iyatọ ni pe sniffer ṣẹda ohun aworan kan pẹlu iwọn 1 nipasẹ 1 pixel ati lo ọna asopọ ti o gba tẹlẹ bi paramita kan src Awọn aworan. Iyẹn ni, fun olumulo, iru ibeere ni ijabọ yoo dabi ibeere fun aworan deede. Ilana ti o jọra ni a lo ninu idile ImageID ti sniffers. Ni afikun, ilana aworan piksẹli 1x1 ni a lo ni ọpọlọpọ awọn iwe afọwọkọ atupale ori ayelujara, eyiti o tun le ṣi olumulo lọna.
Itupalẹ Ẹya
Iṣiro ti awọn agbegbe ti nṣiṣe lọwọ ti awọn oniṣẹ ReactGet ṣe afihan ọpọlọpọ awọn ẹya oriṣiriṣi ti idile ti sniffers yii. Awọn ẹya yatọ si niwaju tabi isansa ti obfuscation, ati ni afikun, kọọkan sniffer jẹ apẹrẹ fun eto isanwo kan pato ti o ṣe ilana awọn sisanwo kaadi banki fun awọn ile itaja ori ayelujara. Lẹhin tito lẹsẹsẹ nipasẹ iye paramita ti o baamu si nọmba ẹya, awọn alamọja Ẹgbẹ-IB gba atokọ pipe ti awọn iyatọ sniffer ti o wa, ati nipasẹ awọn orukọ ti awọn aaye fọọmu ti sniffer kọọkan n wa ninu koodu oju-iwe, wọn pinnu awọn eto isanwo. wipe sniffer fojusi.
Akojọ ti awọn sniffers ati awọn won ti o baamu owo awọn ọna šiše
| Sniffer URL | Eto isanwo |
|---|---|
| Authorize.Net | |
| Ipamọ kaadi | |
| Authorize.Net | |
| Authorize.Net | |
| eWAY Dekun | |
| Authorize.Net | |
| Adyen | |
| USAePay | |
| Authorize.Net | |
| USAePay | |
| Authorize.Net | |
| Moneris | |
| USAePay | |
| PayPal | |
| SagePay | |
| Verisign | |
| PayPal | |
| adikala | |
| Realex | |
| PayPal | |
| LinkPoint | |
| PayPal | |
| PayPal | |
| datacash | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Moneris | |
| SagePay | |
| USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| Authorize.Net | |
| Moneris | |
| SagePay | |
| SagePay | |
| Lepa isanwo | |
| Authorize.Net | |
| Adyen | |
| PsiGate | |
| Orisun Cyber | |
| ANZ eGate | |
| Realex | |
| USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| PayPal | |
| Realex | |
| SagePay | |
| PayPal | |
| Verisign | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Orisun Cyber | |
| Authorize.Net | |
| SagePay | |
| Realex | |
| Orisun Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Dekun | |
| SagePay | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| Moneris | |
| Authorize.Net | |
| PayPal | |
| Verisign | |
| USAePay | |
| USAePay | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| adikala | |
| Authorize.Net | |
| eWAY Dekun | |
| SagePay | |
| Authorize.Net | |
| Braintree | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| adikala | |
| Authorize.Net | |
| eWAY Dekun | |
| SagePay | |
| Authorize.Net | |
| Braintree | |
| PayPal | |
| SagePay | |
| SagePay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| SagePay | |
| Westpac PayWay | |
| payfort | |
| PayPal | |
| Authorize.Net | |
| adikala | |
| First Data Global Gateway | |
| PsiGate | |
| Authorize.Net | |
| Authorize.Net | |
| Moneris | |
| Authorize.Net | |
| SagePay | |
| Verisign | |
| Moneris | |
| PayPal | |
| LinkPoint | |
| Westpac PayWay | |
| Authorize.Net | |
| Moneris | |
| PayPal | |
| Adyen | |
| PayPal | |
| Authorize.Net | |
| USAePay | |
| EBizCharge | |
| Authorize.Net | |
| Verisign | |
| Verisign | |
| Authorize.Net | |
| PayPal | |
| Moneris | |
| Authorize.Net | |
| PayPal | |
| PayPal | |
| Westpac PayWay | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| PayPal | |
| payfort | |
| Orisun Cyber | |
| PayPal sisan Pro | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Authorize.Net | |
| adikala | |
| Authorize.Net | |
| Authorize.Net | |
| Verisign | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Authorize.Net | |
| Authorize.Net | |
| PayPal | |
| Flint | |
| PayPal | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| adikala | |
| Abila ti o sanra | |
| SagePay | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| eWAY Dekun | |
| Adyen | |
| PayPal | |
| Awọn iṣẹ Iṣowo QuickBooks | |
| Verisign | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| SagePay | |
| Authorize.Net | |
| eWAY Dekun | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Orisun Cyber | |
| Authorize.Net | |
| SagePay | |
| Realex | |
| Orisun Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| Verisign | |
| eWAY Dekun | |
| SagePay | |
| SagePay | |
| Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| Moneris | |
| Authorize.Net | |
| PayPal |
Ọrọigbaniwọle sniffer
Ọkan ninu awọn anfani ti JavaScript sniffers ti o ṣiṣẹ ni ẹgbẹ alabara ti oju opo wẹẹbu ni iyipada rẹ: koodu irira ti a fi sii lori oju opo wẹẹbu le ji eyikeyi iru data, jẹ alaye isanwo tabi iwọle ati ọrọ igbaniwọle lati akọọlẹ olumulo kan. Awọn alamọja ẹgbẹ-IB ṣe awari apẹẹrẹ ti sniffer ti o jẹ ti idile ReactGet, ti a ṣe lati ji awọn adirẹsi imeeli ati awọn ọrọ igbaniwọle ti awọn olumulo aaye.
Ikorita pẹlu ImageID sniffer
Lakoko itupalẹ ti ọkan ninu awọn ile itaja ti o ni arun, a rii pe oju opo wẹẹbu rẹ ti ni akoran lẹẹmeji: ni afikun si koodu irira ti ReactGet ebi sniffer, koodu ti sniffer idile ImageID ti ri. Ikọja yii le jẹ ẹri pe awọn oniṣẹ lẹhin awọn apanirun mejeeji n lo awọn ilana ti o jọra lati fi koodu irira sii.
sniffer gbogbo agbaye
Lakoko itupalẹ ọkan ninu awọn orukọ ìkápá ti o ni ibatan si awọn amayederun sniffer ReactGet, a rii pe olumulo kanna forukọsilẹ awọn orukọ ìkápá mẹta miiran. Awọn ibugbe mẹtẹẹta wọnyi ṣe afarawe awọn ibugbe ti awọn aaye gidi-aye ati pe a ti lo tẹlẹ lati gbalejo awọn sniffers. Nigbati o ba n ṣatupalẹ koodu ti awọn aaye mẹta ti o tọ, a ti rii sniffer ti ko mọ, ati pe itupalẹ siwaju fihan pe eyi jẹ ẹya ilọsiwaju ti ReactGet sniffer. Gbogbo awọn ẹya ti a ti tọpa tẹlẹ ti idile ti awọn apanirun ni a fojusi ni eto isanwo kan, iyẹn ni, ẹya pataki ti sniffer ni a nilo fun eto isanwo kọọkan. Sibẹsibẹ, ninu ọran yii, a ti ṣe awari ẹya gbogbo agbaye ti sniffer, ti o lagbara lati ji alaye lati awọn fọọmu ti o ni ibatan si awọn eto isanwo oriṣiriṣi 15 ati awọn modulu ti awọn aaye ecommerce fun awọn sisanwo ori ayelujara.
Nitorinaa, ni ibẹrẹ iṣẹ naa, apanirun wa awọn aaye fọọmu ipilẹ ti o ni alaye ti ara ẹni ti olufaragba: orukọ kikun, adirẹsi ti ara, nọmba foonu.
Awọn sniffer lẹhinna wa diẹ sii ju awọn ami-iṣaaju oriṣiriṣi 15 ti o baamu si awọn ọna ṣiṣe isanwo oriṣiriṣi ati awọn modulu fun awọn sisanwo ori ayelujara.
Nigbamii ti, data ti ara ẹni ti olufaragba ati alaye isanwo ni a kojọ pọ ati firanṣẹ si aaye kan ti o ṣakoso nipasẹ ikọlu: ninu ọran pataki yii, awọn ẹya meji ti ReactGet sniffer agbaye ni a rii ti o wa lori awọn aaye oriṣiriṣi meji ti gepa. Sibẹsibẹ, awọn ẹya mejeeji firanṣẹ data ji si aaye kanna ti gepa. zoobashop.com.
Iṣirotẹlẹ ti awọn ami-iṣaaju ti apanirun lo lati wa awọn aaye ti o ni alaye isanwo ti olufaragba naa pinnu pe apẹẹrẹ sniffer yii fojusi awọn eto isanwo wọnyi:
- Authorize.Net
- Verisign
- Akọkọ data
- USAePay
- adikala
- PayPal
- ANZ eGate
- Braintree
- Owo Data (MasterCard)
- Awọn sisanwo Realex
- PsiGate
- Heartland sisan Systems
Awọn irinṣẹ wo ni a lo lati ji alaye isanwo
Ọpa akọkọ ti a ṣe awari lakoko itupalẹ ti awọn amayederun awọn ikọlu n ṣiṣẹ lati pa awọn iwe afọwọkọ irira kuro ti o ni iduro fun jiji awọn kaadi banki. Iwe afọwọkọ bash ti o lo CLI ti iṣẹ akanṣe ni a rii lori ọkan ninu awọn agbalejo awọn ikọlu naa. lati ṣe adaṣe koodu obfuscation sniffer.
Awọn keji awari ọpa ti a ṣe lati se ina koodu lodidi fun ikojọpọ akọkọ sniffer. Ọpa yii ṣe ipilẹṣẹ koodu JavaScript kan ti o ṣayẹwo boya olumulo wa ni oju-iwe isanwo nipa wiwa adirẹsi olumulo lọwọlọwọ fun awọn okun. ṣayẹwo, rira ati bẹbẹ lọ, ati pe ti abajade ba jẹ rere, lẹhinna koodu naa gbe sniffer akọkọ lati olupin intruder. Lati tọju iṣẹ irira, gbogbo awọn laini, pẹlu awọn laini idanwo fun ṣiṣe ipinnu oju-iwe isanwo, bakanna bi ọna asopọ si sniffer, ti wa ni koodu nipa lilo ipilẹ64.
Awọn ikọlu ararẹ
Lakoko itupalẹ awọn amayederun nẹtiwọọki ti awọn ikọlu, a rii pe ẹgbẹ ọdaràn nigbagbogbo nlo aṣiri-ararẹ lati ni iraye si igbimọ iṣakoso ti ibi-itaja ori ayelujara ti ibi-afẹde. Awọn ikọlu naa forukọsilẹ agbegbe kan ti o dabi aaye ibi-itaja kan lẹhinna gbe fọọmu iwọle abojuto Magento iro lori rẹ. Ti o ba ṣaṣeyọri, awọn ikọlu naa yoo ni iraye si igbimọ abojuto Magento CMS, eyiti o fun wọn ni agbara lati ṣatunkọ awọn paati aaye ati ṣe imuse sniffer lati ji data kaadi kirẹditi.
Amayederun
| Момен | Ọjọ ti Awari / ifarahan |
|---|---|
| mediapack.info | 04.05.2017 |
| adgetapi.com | 15.06.2017 |
| simcounter.com | 14.08.2017 |
| mageanalytics.com | 22.12.2017 |
| maxstatics.com | 16.01.2018 |
| reactjsapi.com | 19.01.2018 |
| mxcounter.com | 02.02.2018 |
| apitstatus.com | 01.03.2018 |
| orderracker.com | 20.04.2018 |
| tagtracking.com | 25.06.2018 |
| adsapigate.com | 12.07.2018 |
| trusttracker.com | 15.07.2018 |
| fbstatspartner.com | 02.10.2018 |
| billgetstatus.com | 12.10.2018 |
| aldenmilhouse.com | 20.10.2018 |
| balletbeautlful.com | 20.10.2018 |
| bargalnjunkie.com | 20.10.2018 |
| payselector.com | 21.10.2018 |
| tagsmediaget.com | 02.11.2018 |
| hs-payments.com | 16.11.2018 |
| ordercheckpays.com | 19.11.2018 |
| geisseie.com | 24.11.2018 |
| gtmproc.com | 29.11.2018 |
| livegetpay.com | 18.12.2018 |
| sydneysalonsupplies.com | 18.12.2018 |
| newrelicnet.com | 19.12.2018 |
| nr-public.com | 03.01.2019 |
| cloudodesc.com | 04.01.2019 |
| ajaxstatic.com | 11.01.2019 |
| livecheckpay.com | 21.01.2019 |
| Asianfoodgracer.com | 25.01.2019 |
G-Atupalẹ ebi
Idile ti sniffers yii ni a lo lati ji awọn kaadi alabara lati awọn ile itaja ori ayelujara. Orukọ ìkápá akọkọ ti ẹgbẹ naa lo ni a forukọsilẹ ni Oṣu Kẹrin ọdun 2016, eyiti o le tọka ibẹrẹ ti iṣẹ ṣiṣe ẹgbẹ ni aarin ọdun 2016.
Ninu ipolongo ti o wa lọwọlọwọ, ẹgbẹ naa nlo awọn orukọ-ašẹ ti o ṣe afihan awọn iṣẹ igbesi aye gidi gẹgẹbi Awọn atupale Google ati jQuery, ti o n pa iṣẹ-ṣiṣe sniffer masking pẹlu awọn iwe afọwọkọ ti o tọ ati awọn orukọ-ašẹ ti o ni ẹtọ. Awọn oju opo wẹẹbu nṣiṣẹ labẹ CMS Magento ni a kolu.
Bii G-Atupalẹ ti ṣe imuse ni koodu itaja ori ayelujara
Ẹya pataki ti idile yii ni lilo awọn ọna oriṣiriṣi ti ji alaye isanwo olumulo. Ni afikun si abẹrẹ JavaScript Ayebaye sinu ẹgbẹ alabara ti aaye naa, ẹgbẹ ọdaràn tun lo ilana ti abẹrẹ koodu sinu ẹgbẹ olupin ti aaye naa, eyun awọn iwe afọwọkọ PHP ti o ṣe ilana titẹ olumulo. Ilana yii jẹ ewu ni pe o jẹ ki o ṣoro fun awọn oniwadi ẹni-kẹta lati ṣawari koodu irira. Awọn alamọja ẹgbẹ-IB ṣe awari ẹya kan ti sniffer ti a fi sinu koodu PHP ti aaye naa, ni lilo aaye naa bi ẹnu-ọna dittm.org.
Ẹya kutukutu ti sniffer ni a tun ṣe awari ti o nlo aaye kanna lati gba data ji. dittm.org, ṣugbọn ẹya yii ti pinnu tẹlẹ fun fifi sori ẹrọ ni ẹgbẹ alabara ti ile itaja ori ayelujara.
Lẹ́yìn náà, ẹgbẹ́ náà yí àwọn ọgbọ́n ẹ̀wẹ́ rẹ̀ padà, wọ́n sì bẹ̀rẹ̀ sí í fiyè sí i sí ìpamọ́ iṣẹ́ ìríra àti ìpakúpa.
Ni ibẹrẹ 2017, ẹgbẹ naa bẹrẹ lilo ìkápá naa jquery-js.comfifi ara ṣe bi CDN fun jQuery: tun olumulo pada si aaye ti o tọ nigbati o nlo si aaye irira kan jquery.com.
Ati ni aarin-2018, ẹgbẹ naa gba orukọ ìkápá kan g-analytics.com o si bẹrẹ si ṣe iyipada iṣẹ-ṣiṣe ti sniffer gẹgẹbi iṣẹ Google Analytics ti o tọ.
Itupalẹ Ẹya
Lakoko itupalẹ ti awọn ibugbe ti a lo lati fipamọ koodu sniffer, o rii pe aaye naa ni nọmba nla ti awọn ẹya ti o yatọ si niwaju obfuscation, bakanna bi wiwa tabi isansa ti koodu ti ko le de ọdọ ti a ṣafikun si faili naa lati yago fun akiyesi. ati tọju koodu irira.
Lapapọ lori aaye naa jquery-js.com mefa awọn ẹya ti sniffers won mọ. Awọn apanirun wọnyi fi data ji lọ ranṣẹ si adirẹsi ti o wa ni aaye kanna bi sniffer funrararẹ: hxxps://jquery-js[.] com/latest/jquery.min.js:
- hxxps://jquery-js[.] com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Nigbamii ašẹ g-analytics.com, ti ẹgbẹ lo ninu awọn ikọlu lati aarin-2018, ṣiṣẹ bi ibi ipamọ fun awọn apanirun diẹ sii. Ni apapọ, awọn ẹya oriṣiriṣi 16 ti sniffer ni a ṣe awari. Ni idi eyi, ẹnu-ọna fun fifiranṣẹ data ti o ji ni a parada bi ọna asopọ si aworan ti ọna kika GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.] com/libs/analytics.js
Monetization ti awọn ji data
Ẹgbẹ ọdaràn ṣe monetize data ji nipa tita awọn kaadi nipasẹ ile itaja ipamo ti o ṣẹda pataki ti o pese awọn iṣẹ si awọn kaadi. Ayẹwo ti awọn ibugbe ti awọn ikọlu lo jẹ ki o ṣee ṣe lati pinnu iyẹn google-analytics.cm ti forukọsilẹ nipasẹ olumulo kanna bi agbegbe naa kaadiz.vc. Ibugbe kaadiz.vc tọka si Cardsurfs (Flysurfs), ile itaja ti o n ta awọn kaadi banki ti o ji, eyiti o ni gbaye-gbale lakoko ọjà ipamo AlphaBay bi ile itaja ti n ta awọn kaadi banki ti ji ni lilo sniffer.
Ṣiṣayẹwo ašẹ atupale.ni, ti o wa lori olupin kanna gẹgẹbi awọn ibugbe ti awọn apanirun lo lati gba data jija, awọn alamọja Group-IB ṣe awari faili kan ti o ni awọn akọọlẹ jija kuki, eyiti, o dabi pe, nigbamii ti kọ silẹ nipasẹ idagbasoke. Ọkan ninu awọn titẹ sii inu akọọlẹ naa ni agbegbe kan ninu iozoz.com, eyi ti a ti lo tẹlẹ ninu ọkan ninu awọn sniffers ti nṣiṣe lọwọ ni 2016. Ni aigbekele, agbegbe yii ni iṣaaju lo nipasẹ ikọlu lati gba awọn kaadi ji ni lilo sniffer. A forukọsilẹ agbegbe yii si adirẹsi imeeli kan [imeeli ni idaabobo], ti o tun lo lati forukọsilẹ awọn ibugbe cardz.su и kaadiz.vcjẹmọ si Cardsurfs carding itaja.
Da lori awọn data ti o gba, o le ti wa ni ro pe G-Analytics sniffer ebi ati ipamo Cardsurfs ifowo kaadi itaja ti wa ni ṣiṣe nipasẹ awọn kanna eniyan, ati awọn itaja ti wa ni lo lati ta ifowo awọn kaadi ji nipa lilo a sniffer.
Amayederun
| Момен | Ọjọ ti Awari / ifarahan |
|---|---|
| iozoz.com | 08.04.2016 |
| dittm.org | 10.09.2016 |
| jquery-js.com | 02.01.2017 |
| g-analytics.com | 31.05.2018 |
| google-analytics.is | 21.11.2018 |
| atupale.to | 04.12.2018 |
| google-analytics.to | 06.12.2018 |
| google-analytics.cm | 28.12.2018 |
| atupale.ni | 28.12.2018 |
| googlelc-analytics.cm | 17.01.2019 |
Idile Illum
Illum jẹ ẹbi ti awọn apanirun ti a lo lati kọlu awọn ile itaja ori ayelujara ti nṣiṣẹ Magento CMS. Ni afikun si ifihan koodu irira, awọn oniṣẹ ti sniffer yii tun lo ifihan ti awọn fọọmu isanwo iro ni kikun ti o fi data ranṣẹ si awọn ẹnu-bode ti o ṣakoso nipasẹ awọn ikọlu.
Nigbati o ba n ṣe itupalẹ awọn amayederun nẹtiwọki ti awọn oniṣẹ ẹrọ ti sniffer yii lo, nọmba nla ti awọn iwe afọwọkọ irira, awọn ilokulo, awọn fọọmu isanwo iro ni a ṣe akiyesi, ati akojọpọ awọn apẹẹrẹ pẹlu awọn oludije irira irira. Da lori alaye nipa awọn ọjọ ifarahan ti awọn orukọ ìkápá ti ẹgbẹ lo, a le ro pe ibẹrẹ ipolongo naa ṣubu ni opin 2016.
Bii Illum ṣe ṣe imuse ni koodu ti ile itaja ori ayelujara kan
Awọn ẹya akọkọ ti a ṣe awari ti sniffer ni a fi sii taara sinu koodu ti aaye ti o gbogun. Awọn ji data ti a rán si cdn.illum[.]pw/records.php, ẹnu-bode ti wa ni koodu nipa lilo ipilẹ64.
Lẹ́yìn náà, wọ́n ṣàwárí ẹ̀yà dídìdì kan ti sniffer nípa lílo ẹnubodè mìíràn – records.nstatistics[.]com/records.php.
Gegebi Willem de Groot, kanna ogun ti a lo ninu sniffer ti a ti muse lori , ohun ini nipasẹ ẹgbẹ oṣelu German CSU.
Attack ojula onínọmbà
Awọn alamọja Ẹgbẹ-IB ṣe awari ati ṣe atupale aaye ti ẹgbẹ ọdaràn yii nlo lati fipamọ awọn irinṣẹ ati gba alaye ji.
Lara awọn irinṣẹ ti a rii lori olupin ikọlu naa ni a rii awọn iwe afọwọkọ ati awọn ilokulo fun imudara anfani ni Linux OS: fun apẹẹrẹ, Iwe afọwọkọ Imudara Escalation Anfani Linux, ti o dagbasoke nipasẹ Mike Czumak, bakanna bi ilokulo fun CVE-2009-1185.
Awọn ikọlu lo awọn ilokulo meji taara lati kọlu awọn ile itaja ori ayelujara: o lagbara lati abẹrẹ koodu irira sinu core_config_data nipa lilo CVE-2016-4010, lo ailagbara RCE kan ninu awọn afikun Magento CMS, gbigba koodu lainidii lati ṣiṣẹ lori olupin wẹẹbu ti o ni ipalara.
Paapaa, lakoko itupalẹ olupin naa, ọpọlọpọ awọn apẹẹrẹ ti sniffers ati awọn fọọmu isanwo iro ni a rii, ti awọn ikọlu lo lati gba alaye isanwo lati awọn aaye ti a gepa. Gẹgẹbi o ti le rii lati atokọ ni isalẹ, diẹ ninu awọn iwe afọwọkọ ni a ṣẹda ni ẹyọkan fun aaye kọọkan ti a gepa, lakoko ti a lo ojutu gbogbo agbaye fun awọn CMS kan ati awọn ẹnu-ọna isanwo. Fun apẹẹrẹ, awọn iwe afọwọkọ segapay_standard.js и segapay_onpage.js ti a ṣe lati wa ni ifibọ lori awọn aaye nipa lilo ẹnu-ọna isanwo Sage Pay.
Akojọ ti awọn iwe afọwọkọ fun orisirisi owo ẹnu-ọna
| Iwe afọwọkọ | Isanwo Gateway |
|---|---|
| [.] pw/mjs_special/visiondirect.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.] pw/mjs_special/topdirenshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.] pw/mjs_special/tiendalenovo.es.js | //request.payrightnow[.]cf/alldata.php |
| [.] pw/mjs_special/pro-bolt.com.js | //request.payrightnow[.]cf/alldata.php |
| [.] pw/mjs_special/plae.co.js | //request.payrightnow[.]cf/alldata.php |
| [.] pw/mjs_special/ottolenghi.co.uk.js | //request.payrightnow[.]cf/alldata.php |
| [.] pw/mjs_special/oldtimecandy.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.] pw/mjs_special/mylook.ee.js | //cdn.illum[.]pw/records.php |
| [.] pw/mjs_special/luluandsky.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.] pw/mjs_special/julep.com.js | //cdn.illum[.]pw/records.php |
| [.] pw/mjs_special/gymcompany.es.js | //request.payrightnow[.]cf/alldata.php |
| [.] pw/mjs_special/grotekadoshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.] pw/mjs_special/fushi.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.] pw/mjs_special/faraastflora.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.] pw/mjs_special/compuindia.com.js | //request.payrightnow[.]cf/alldata.php |
| [.] pw/mjs/segapay_standart.js | //cdn.illum[.]pw/records.php |
| [.] pw/mjs/segapay_onpage.js | //cdn.illum[.]pw/records.php |
| [.] pw/mjs/ropo_standard.js | //request.payrightnow[.]cf/checkpayment.php |
| [.] pw/mjs/all_inputs.js | //cdn.illum[.]pw/records.php |
| [.] pw/mjs/ add_inputs_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.] pw/magento/payment_standard.js | //cdn.illum[.]pw/records.php |
| [.] pw/magento/payment_redirect.js | //payright now[.]cf/?sanwo= |
| [.] pw/magento/payment_redcrypt.js | //payright now[.]cf/?sanwo= |
| [.] pw/magento/payment_forminsite.js | //paymentnow[.]tk/?sanwo= |
Gbalejo sisan bayi[.] tk, ti a lo bi ẹnu-ọna ninu iwe afọwọkọ kan Payment_forminsite.js, a ti se awari bi kokoAltName ni awọn iwe-ẹri pupọ ti o ni ibatan si iṣẹ CloudFlare. Ni afikun, awọn akosile ti a be lori ogun ibi.js. Ti o ṣe idajọ nipasẹ orukọ iwe afọwọkọ naa, o le ti lo gẹgẹbi apakan ti lilo CVE-2016-4010, o ṣeun si eyi ti o ṣee ṣe lati fi koodu irira sinu ẹsẹ ti aaye kan ti nṣiṣẹ Magento CMS. Iwe afọwọkọ yii lo agbalejo bi ẹnu-ọna ìbéèrè.requestnet[.]tk, lilo iwe-ẹri kanna bi agbalejo sisan bayi[.] tk.
Awọn fọọmu isanwo iro
Nọmba ti o wa ni isalẹ fihan apẹẹrẹ ti fọọmu kan fun titẹ data kaadi sii. Fọọmu yii ni a lo lati wọ inu oju opo wẹẹbu itaja ori ayelujara kan ati ji data kaadi.
Nọmba ti o tẹle yii jẹ apẹẹrẹ ti fọọmu isanwo PayPal iro ti o jẹ lilo nipasẹ awọn ikọlu lati wọ awọn aaye ni lilo ọna isanwo yii.
Amayederun
| Момен | Ọjọ ti Awari / ifarahan |
|---|---|
| cdn.illum.pw | 27/11/2016 |
| records.nstatistics.com | 06/09/2018 |
| ìbéèrè.payrightnow.cf | 25/05/2018 |
| sisanwo.tk | 16/07/2017 |
| sisan-ila.tk | 01/03/2018 |
| owo sisan.cf | 04/09/2017 |
| ìbéèrènet.tk | 28/06/2017 |
idile CoffeeMokko
Idile CoffeMokko ti sniffers ti a ṣe apẹrẹ lati ji awọn kaadi banki ti awọn olumulo ile itaja ori ayelujara ti lo lati o kere ju May 2017. Aigbekele, ẹgbẹ 1 odaran ẹgbẹ ti a ṣe apejuwe nipasẹ awọn amoye RiskIQ ni ọdun 2016 jẹ oniṣẹ ti idile ti awọn apanirun. Awọn oju opo wẹẹbu nṣiṣẹ bii CMS bii Magento, OpenCart, WordPress, osCommerce, Shopify ni a kọlu.
Bawo ni CoffeMokko ti wa ni ifibọ ninu koodu ti ile itaja ori ayelujara kan
Awọn oniṣẹ ti idile yii ṣẹda awọn apanirun alailẹgbẹ fun ikolu kọọkan: faili sniffer wa ninu itọsọna naa src tabi js lori olupin awọn attacker. Imuse sinu koodu ojula ni a ṣe nipasẹ ọna asopọ taara si sniffer.
Awọn koodu sniffer lile-koodu awọn orukọ ti awọn aaye fọọmu lati eyi ti o fẹ lati ji data. Awọn sniffer tun ṣayẹwo boya olumulo wa ni oju-iwe isanwo nipa ṣiṣe ayẹwo atokọ ti awọn koko-ọrọ lodi si adirẹsi olumulo lọwọlọwọ.
Diẹ ninu awọn ẹya ti a ṣe awari ti sniffer ni a parẹ ati pe o ni okun ti paroko kan ti o tọju titobi awọn orisun akọkọ: o ni awọn orukọ ti awọn aaye fọọmu fun ọpọlọpọ awọn eto isanwo, ati adirẹsi ti ẹnu-bode eyiti o yẹ ki o firanṣẹ data ji.
Alaye isanwo ti ji ti firanṣẹ si iwe afọwọkọ kan lori olupin awọn ikọlu ni ọna. /savePayment/index.php tabi /tr/index.php. Aigbekele, iwe afọwọkọ yii ni a lo lati fi data ranṣẹ lati ẹnu-bode si olupin akọkọ, eyiti o ṣe idapọ data lati gbogbo awọn apanirun. Lati tọju data ti o tan kaakiri, gbogbo alaye isanwo ti olufaragba jẹ koodu koodu nipa lilo ipilẹ64, ati lẹhinna ọpọlọpọ awọn iyipada ohun kikọ ṣẹlẹ:
- "e" ti rọpo nipasẹ ":"
- aami "w" ti rọpo nipasẹ "+"
- kikọ "o" ti rọpo nipasẹ "%"
- kikọ "d" ti rọpo nipasẹ "#"
- iwa "a" ti rọpo nipasẹ "-"
- aami "7" ti rọpo pẹlu "^"
- iwa "h" ti rọpo nipasẹ "_"
- aami "T" ti wa ni rọpo pẹlu "@"
- kikọ "0" ti rọpo nipasẹ "/"
- ohun kikọ "Y" ti rọpo nipasẹ "*"
Bi awọn kan abajade ti ohun kikọ silẹ fidipo pẹlu ipilẹ64 data ko le ṣe iyipada laisi iyipada onidakeji.
Eyi ni bi ajẹkù ti koodu sniffer ti ko ti parun ṣe dabi:
Amayederun igbekale
Ni awọn ipolongo ibẹrẹ, awọn ikọlu forukọsilẹ awọn orukọ agbegbe ti o jọra ti awọn aaye rira ori ayelujara ti o tọ. Agbegbe wọn le yato si ọkan ti o tọ nipasẹ ohun kikọ kan tabi TLD miiran. Awọn ibugbe ti a forukọsilẹ ni a lo lati fipamọ koodu sniffer, ọna asopọ si eyiti a fi sii ninu koodu itaja.
Paapaa, ẹgbẹ yii lo awọn orukọ agbegbe ti o ranti awọn afikun jQuery olokiki (slickjs[.]org fun awọn aaye lilo itanna alarinkiri.js), awọn ẹnu-ọna owo sisan (sagecdn[.]org fun awọn aaye lilo Sage Pay sisan eto).
Nigbamii, ẹgbẹ naa bẹrẹ lati ṣẹda awọn ibugbe ti orukọ wọn ko ni nkan ṣe pẹlu boya aaye ile-itaja tabi akori ile itaja naa.
Agbegbe kọọkan ni ibamu si aaye ti a ṣẹda liana naa /js tabi / src. Awọn iwe afọwọkọ Sniffer ni a fipamọ sinu itọsọna yii: sniffer kan fun ikolu tuntun kọọkan. A ṣe afihan sniffer naa sinu koodu aaye nipasẹ ọna asopọ taara, ṣugbọn ni awọn iṣẹlẹ to ṣọwọn, awọn ikọlu ṣe atunṣe ọkan ninu awọn faili aaye naa ati ṣafikun koodu irira si rẹ.
Ayẹwo koodu
Algorithm Obfuscation akọkọ
Ni diẹ ninu awọn apẹẹrẹ sniffer ti idile yii, koodu naa ti parẹ ati pe o ni awọn data fifi ẹnọ kọ nkan ti o ṣe pataki fun sniffer lati ṣiṣẹ: ni pataki, adirẹsi ẹnu-ọna sniffer, atokọ ti awọn aaye fọọmu isanwo, ati ni awọn igba miiran, koodu fọọmu isanwo iro kan. Ninu koodu inu iṣẹ naa, awọn orisun ti paroko pẹlu ỌFẸ nipasẹ bọtini ti o ti kọja bi ariyanjiyan si iṣẹ kanna.
Nipa didi okun pẹlu bọtini ti o baamu, alailẹgbẹ fun apẹẹrẹ kọọkan, o le gba okun ti o ni gbogbo awọn ila lati koodu sniffer ti o yapa nipasẹ ohun kikọ alapin.
Alugoridimu obfuscation keji
Ni awọn ayẹwo nigbamii ti idile ti awọn sniffers, ọna oriṣiriṣi obfuscation ti a lo: ninu ọran yii, data ti paroko nipa lilo algorithm ti ara ẹni. Okun kan ti o ni data fifi ẹnọ kọ nkan ti o nilo fun sniffer lati ṣiṣẹ ni a kọja bi ariyanjiyan si iṣẹ decryption.
Lilo console ẹrọ aṣawakiri, o le ge data fifi ẹnọ kọ nkan ati gba akojọpọ ti o ni awọn orisun sniffer ninu.
Ọna asopọ si awọn ikọlu MageCart ni kutukutu
Ninu itupalẹ ọkan ninu awọn ibugbe ti ẹgbẹ naa lo bi ẹnu-ọna lati gba data jija, o rii pe awọn amayederun ti ji awọn kaadi kirẹditi ni a gbe sori agbegbe yii, ti o jọra si eyiti Ẹgbẹ 1 lo, ọkan ninu awọn ẹgbẹ akọkọ, Awọn alamọja RiskIQ.
Awọn faili meji ni a rii lori agbalejo ti idile CoffeMokko sniffer:
- mage.js - faili ti o ni koodu sniffer Ẹgbẹ 1 pẹlu adirẹsi ẹnu-ọna js-cdn.ọna asopọ
- magi.php - PHP iwe afọwọkọ lodidi fun gbigba awọn data ji nipa sniffer
Awọn akoonu ti faili mage.js
O tun ti pinnu pe awọn ibugbe akọkọ ti ẹgbẹ lo lẹhin idile CoffeMokko sniffer ni a forukọsilẹ ni May 17, 2017:
- link-js[.] ọna asopọ
- info-js[.] ọna asopọ
- track-js[.] ọna asopọ
- map-js[.] ọna asopọ
- smart-js[.] ọna asopọ
Ọna kika ti awọn orukọ ìkápá wọnyi jẹ kanna bii awọn orukọ ìkápá Ẹgbẹ 1 ti a lo ninu awọn ikọlu 2016.
Da lori awọn otitọ ti a ṣe awari, o le ro pe asopọ kan wa laarin awọn oniṣẹ sniffer CoffeMokko ati ẹgbẹ ọdaràn Ẹgbẹ 1. Aigbekele, awọn oniṣẹ CoffeMokko le ti ya awọn irinṣẹ ati sọfitiwia lati ji awọn kaadi lati awọn ti o ti ṣaju wọn. Sibẹsibẹ, o ṣee ṣe diẹ sii pe ẹgbẹ ọdaràn lẹhin lilo awọn apanirun idile CoffeMokko jẹ awọn eniyan kanna ti o ṣe awọn ikọlu gẹgẹ bi apakan ti awọn iṣẹ ẹgbẹ 1. Lẹhin ti atẹjade ijabọ akọkọ lori awọn iṣẹ ti ẹgbẹ ọdaràn, gbogbo wọn. Awọn orukọ-ašẹ ti dina, ati awọn irinṣẹ ti a ṣe iwadi ni apejuwe ati ṣe apejuwe. A fi agbara mu ẹgbẹ naa lati ya isinmi, ṣe atunṣe awọn irinṣẹ inu wọn daradara ati tun kọ koodu sniffer lati le tẹsiwaju awọn ikọlu wọn ati ki o wa ni akiyesi.
Amayederun
| Момен | Ọjọ ti Awari / ifarahan |
|---|---|
| ọna asopọ-js.link | 17.05.2017 |
| alaye-js.link | 17.05.2017 |
| track-js.link | 17.05.2017 |
| map-js.link | 17.05.2017 |
| smart-js.link | 17.05.2017 |
| adorebeauty.org | 03.09.2017 |
| aabo-sanwo.su | 03.09.2017 |
| braincdn.org | 04.09.2017 |
| sagecdn.org | 04.09.2017 |
| slickjs.org | 04.09.2017 |
| oakandfort.org | 10.09.2017 |
| citywlnery.org | 15.09.2017 |
| dobell.su | 04.10.2017 |
| childrensplayclothing.org | 31.10.2017 |
| jewsondirect.com | 05.11.2017 |
| itaja-rnib.org | 15.11.2017 |
| closetlondon.org | 16.11.2017 |
| misshaus.org | 28.11.2017 |
| batiri-agbara.org | 01.12.2017 |
| kik-vape.org | 01.12.2017 |
| greatfurnituretradingco.org | 02.12.2017 |
| etradesupply.org | 04.12.2017 |
| replacemyremote.org | 04.12.2017 |
| gbogbo-about-sneakers.org | 05.12.2017 |
| mage-checkout.org | 05.12.2017 |
| nililotan.org | 07.12.2017 |
| lamoodbighat.net | 08.12.2017 |
| walletgear.org | 10.12.2017 |
| dahlie.org | 12.12.2017 |
| davidsfootwear.org | 20.12.2017 |
| blackriverimaging.org | 23.12.2017 |
| exrpesso.org | 02.01.2018 |
| itura.su | 09.01.2018 |
| pmtonline.com | 12.01.2018 |
| otocap.org | 15.01.2018 |
| christohperward.org | 27.01.2018 |
| kofi.org | 31.01.2018 |
| energycoffe.org | 31.01.2018 |
| energytea.org | 31.01.2018 |
| teacoffe.net | 31.01.2018 |
| adaptivecss.org | 01.03.2018 |
| coffemokko.com | 01.03.2018 |
| londontea.net | 01.03.2018 |
| ukcoffe.com | 01.03.2018 |
| labbe.biz | 20.03.2018 |
| batirinart.com | 03.04.2018 |
| btosports.net | 09.04.2018 |
| chicksaddlery.net | 16.04.2018 |
| paypay.org | 11.05.2018 |
| ar500arnor.com | 26.05.2018 |
| authorizecdn.com | 28.05.2018 |
| slickmin.com | 28.05.2018 |
| bannerbuzz.info | 03.06.2018 |
| kandypens.net | 08.06.2018 |
| mylrendyphone.com | 15.06.2018 |
| freshchat.info | 01.07.2018 |
| 3lift.org | 02.07.2018 |
| abtasty.net | 02.07.2018 |
| mechat.info | 02.07.2018 |
| zoplm.com | 02.07.2018 |
| zapaljs.com | 02.09.2018 |
| foodandcot.com | 15.09.2018 |
| freshdepor.com | 15.09.2018 |
| swappastore.com | 15.09.2018 |
| verywellfitness.com | 15.09.2018 |
| elegrina.com | 18.11.2018 |
| Majsurplus.com | 19.11.2018 |
| top5value.com | 19.11.2018 |
orisun: www.habr.com