Cishe wonke umuntu wethu usebenzisa izinsiza zezitolo eziku-inthanethi, okusho ukuthi ngokushesha noma kamuva siba sengozini yokuba yisisulu sabahogela be-JavaScript - ikhodi ekhethekile abahlaseli abayijova kuwebhusayithi ukuze bantshontshe idatha yekhadi lasebhange, amakheli, amagama omsebenzisi namagama ayimfihlo. .
Cishe abasebenzisi abangu-400 bewebhusayithi yeBritish Izindiza kanye nohlelo lokusebenza lweselula sebethintwe abantu abahogelayo, kanye nezivakashi zewebhusayithi ye-FILA yesikhondlakhondla sezemidlalo saseBrithani kanye nomsabalalisi wamathikithi wase-US uTicketmaster. I-PayPal, i-Chase Paymenttech, i-USAePay, i-Moneris - lezi nezinye izinhlelo eziningi zokukhokha zithelelekile.
Umhlaziyi we-Threat Intelligence Group-IB u-Viktor Okorokov ukhuluma ngendlela abantu abahogelayo abangena ngayo ikhodi yewebhusayithi futhi bantshontshe imininingwane yokukhokha, kanye nokuthi imaphi ama-CRM abahlaselayo.
"Usongo olufihliwe"
Kwenzeka ukuthi isikhathi eside ama-JS-sniffers ahlala engabonakali kubahlaziyi be-anti-virus, futhi amabhange nezinhlelo zokukhokha azizange ziwabone njengosongo olukhulu. Futhi ngokuphelele ize. Iqembu-IB Ochwepheshe Izitolo eziku-inthanethi ezingama-2440 ezinegciwane, izivakashi zazo - ingqikithi yabantu ababalelwa ezigidini eziyi-1,5 ngosuku - ezazisengcupheni yokuyekethisa. Phakathi kwezisulu akubona abasebenzisi kuphela, kodwa futhi nezitolo ze-intanethi, izinhlelo zokukhokha namabhange akhiphe amakhadi ayekethisa.
I-Group-IB ibe isifundo sokuqala semakethe ye-darknet yabantu abahogelayo, ingqalasizinda yabo nezindlela zokwenza imali, okuletha izigidi zamadola kubadali babo. Sihlonze imindeni engama-38 yabahogelayo, eyi-12 kuphela ebiyaziwa abacwaningi ngaphambilini.
Ake sixoxe kabanzi ngemindeni emine yabantu abahogelayo efundwe ngesikhathi socwaningo.
ReactGet umndeni
Ama-sniffer omndeni we-ReactGet asetshenziselwa ukweba idatha yekhadi lasebhange kumasayithi okuthenga aku-inthanethi. I-sniffer ingasebenza nenani elikhulu lezinhlelo zokukhokha ezihlukene ezisetshenziswa kusayithi: inani lepharamitha elilodwa lihambisana nesistimu yokukhokha eyodwa, futhi izinguqulo ezitholiwe zomuntu ngamunye zingasetshenziswa ukweba imininingwane, kanye nokweba idatha yekhadi lasebhange amafomu okukhokha ezinhlelo zokukhokha ezimbalwa ngesikhathi esisodwa, njengalokhu okubizwa ngokuthi i-universal sniffer. Kutholwe ukuthi kwezinye izimo, abahlaseli benza ubugebengu bokweba imininingwane ebucayi kubaphathi bezitolo eziku-inthanethi ukuze bathole ukufinyelela kuphaneli yokulawula yesayithi.
Umkhankaso osebenzisa lo mndeni wabantu abahogelayo waqala ngoMeyi 2017. Amasayithi asebenzisa i-CMS nezinkundla iMagento, Bigcommerce, Shopify zahlaselwa.
I-ReactGet ishumekwe kanjani kukhodi yesitolo se-inthanethi
Ngokungeziwe kumjovo weskripthi "sakudala" ngesixhumanisi, o-opharetha bomndeni wakwa-ReactGet basebenzisa indlela ekhethekile: kusetshenziswa ikhodi ye-JavaScript, ihlola ukuthi ikheli lamanje lapho umsebenzisi ekhona liyahlangabezana yini nemibandela ethile. Ikhodi enonya izosebenza kuphela uma i-URL yamanje iqukethe uchungechunge oluncane Hlola noma isinyathelo esisodwa uhlole, ikhasi elilodwa/, ngaphandle/ikhasi elilodwa, ukuphuma/okukodwa, phuma/eyodwa. Ngakho, ikhodi yokuhogela izosetshenziswa ngaleso sikhathi lapho umsebenzisi eqhubeka nokukhokhela ukuthenga futhi efaka imininingwane yokukhokha efomini elikusayithi.
Lesi siphunga sisebenzisa indlela engajwayelekile. Inkokhelo kanye nedatha yomuntu siqu yesisulu iqoqwa ndawonye, ibhalwe ngekhodi kusetshenziswa isisekelo64, bese iyunithi yezinhlamvu ewumphumela isetshenziswa njengepharamitha ukuthumela isicelo kusayithi elinonya. Ngokuvamile, indlela eya esangweni ilingisa ifayela le-JavaScript, isibonelo resp.js, idatha.js nokunye, kodwa izixhumanisi zamafayela esithombe nazo ziyasetshenziswa, GIF и I-JPG. Okukhethekile ukuthi isiduphunga sakha into yesithombe enosayizi wephikseli elingu-1 by 1 futhi sisebenzisa isixhumanisi esitholwe ngaphambilini njengepharamitha. src Izithombe. Okusho ukuthi, kumsebenzisi, isicelo esinjalo kuthrafikhi sizobukeka njengesicelo sesithombe esijwayelekile. Indlela efanayo isetshenziswe emndenini we-ImageID wabahogelayo. Ngaphezu kwalokho, indlela yesithombe sephikseli engu-1x1 isetshenziswa emibhalweni eminingi esemthethweni yezibalo eziku-inthanethi, ezingase futhi zidukise umsebenzisi.
Ukuhlaziywa Kwenguqulo
Ukuhlaziywa kwezizinda ezisebenzayo ezisetshenziswa o-opharetha be-ReactGet sniffer kwembule izinguqulo eziningi ezihlukene zalo mndeni wabahogelayo. Izinguqulo ziyahlukahluka lapho kukhona noma ukungabikho kwe-obfuscation, futhi ngaphezu kwalokho, i-sniffer ngayinye yakhelwe uhlelo oluthile lokukhokha olucubungula izinkokhelo zamakhadi asebhange ezitolo ze-inthanethi. Ngemva kokuhlunga inani lepharamitha elihambisana nenombolo yenguqulo, ochwepheshe beQembu-IB bathole uhlu oluphelele lokuhlukahluka okutholakalayo kokuhogela, futhi ngamagama ezinkambu zefomu umthuki ngamunye azibhekayo kukhodi yekhasi, banquma izinhlelo zokukhokha. ukuthi umnuki uhlose.
Uhlu lwabahogelayo kanye nezinhlelo zabo zokukhokha ezihambisanayo
| I-URL ye-sniffer | Uhlelo lokukhokha |
|---|---|
| Authorize.Net | |
| Ukulondoloza amakhadi | |
| Authorize.Net | |
| Authorize.Net | |
| I-eWAY Rapid | |
| Authorize.Net | |
| Adyen | |
| I-USAePay | |
| Authorize.Net | |
| I-USAePay | |
| Authorize.Net | |
| I-Moneris | |
| I-USAePay | |
| PayPal | |
| I-SagePay | |
| I-Verisign | |
| PayPal | |
| I-Stripe | |
| I-Realex | |
| PayPal | |
| I-LinkPoint | |
| PayPal | |
| PayPal | |
| idathacash | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| I-Verisign | |
| Authorize.Net | |
| I-Moneris | |
| I-SagePay | |
| I-USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| Authorize.Net | |
| I-Moneris | |
| I-SagePay | |
| I-SagePay | |
| Chase Paymentech | |
| Authorize.Net | |
| Adyen | |
| I-PsiGate | |
| Umthombo we-Cyber | |
| ANZ eGate | |
| I-Realex | |
| I-USAePay | |
| Authorize.Net | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| PayPal | |
| I-Realex | |
| I-SagePay | |
| PayPal | |
| I-Verisign | |
| Authorize.Net | |
| I-Verisign | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Umthombo we-Cyber | |
| Authorize.Net | |
| I-SagePay | |
| I-Realex | |
| Umthombo we-Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| I-Verisign | |
| I-eWAY Rapid | |
| I-SagePay | |
| I-SagePay | |
| I-Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| I-First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| I-Moneris | |
| Authorize.Net | |
| PayPal | |
| I-Verisign | |
| I-USAePay | |
| I-USAePay | |
| Authorize.Net | |
| I-Verisign | |
| PayPal | |
| Authorize.Net | |
| I-Stripe | |
| Authorize.Net | |
| I-eWAY Rapid | |
| I-SagePay | |
| Authorize.Net | |
| I-Braintree | |
| I-Braintree | |
| PayPal | |
| I-SagePay | |
| I-SagePay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| I-Verisign | |
| PayPal | |
| Authorize.Net | |
| I-Stripe | |
| Authorize.Net | |
| I-eWAY Rapid | |
| I-SagePay | |
| Authorize.Net | |
| I-Braintree | |
| PayPal | |
| I-SagePay | |
| I-SagePay | |
| Authorize.Net | |
| PayPal | |
| Authorize.Net | |
| I-Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| Authorize.Net | |
| I-SagePay | |
| I-SagePay | |
| I-Westpac PayWay | |
| inkokhelo | |
| PayPal | |
| Authorize.Net | |
| I-Stripe | |
| I-First Data Global Gateway | |
| I-PsiGate | |
| Authorize.Net | |
| Authorize.Net | |
| I-Moneris | |
| Authorize.Net | |
| I-SagePay | |
| I-Verisign | |
| I-Moneris | |
| PayPal | |
| I-LinkPoint | |
| I-Westpac PayWay | |
| Authorize.Net | |
| I-Moneris | |
| PayPal | |
| Adyen | |
| PayPal | |
| Authorize.Net | |
| I-USAePay | |
| EBizCharge | |
| Authorize.Net | |
| I-Verisign | |
| I-Verisign | |
| Authorize.Net | |
| PayPal | |
| I-Moneris | |
| Authorize.Net | |
| PayPal | |
| PayPal | |
| I-Westpac PayWay | |
| Authorize.Net | |
| Authorize.Net | |
| I-SagePay | |
| I-Verisign | |
| Authorize.Net | |
| PayPal | |
| inkokhelo | |
| Umthombo we-Cyber | |
| I-PayPal Payflow Pro | |
| Authorize.Net | |
| Authorize.Net | |
| I-Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| I-SagePay | |
| Authorize.Net | |
| I-Stripe | |
| Authorize.Net | |
| Authorize.Net | |
| I-Verisign | |
| PayPal | |
| Authorize.Net | |
| Authorize.Net | |
| I-SagePay | |
| Authorize.Net | |
| Authorize.Net | |
| PayPal | |
| Flint | |
| PayPal | |
| I-SagePay | |
| I-Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| I-Stripe | |
| I-Zebra Ekhuluphele | |
| I-SagePay | |
| Authorize.Net | |
| I-First Data Global Gateway | |
| Authorize.Net | |
| I-eWAY Rapid | |
| Adyen | |
| PayPal | |
| Izinsizakalo ze-QuickBooks Merchant Services | |
| I-Verisign | |
| I-SagePay | |
| I-Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| I-SagePay | |
| Authorize.Net | |
| I-eWAY Rapid | |
| Authorize.Net | |
| ANZ eGate | |
| PayPal | |
| Umthombo we-Cyber | |
| Authorize.Net | |
| I-SagePay | |
| I-Realex | |
| Umthombo we-Cyber | |
| PayPal | |
| PayPal | |
| PayPal | |
| I-Verisign | |
| I-eWAY Rapid | |
| I-SagePay | |
| I-SagePay | |
| I-Verisign | |
| Authorize.Net | |
| Authorize.Net | |
| I-First Data Global Gateway | |
| Authorize.Net | |
| Authorize.Net | |
| I-Moneris | |
| Authorize.Net | |
| PayPal |
I-password sniffer
Enye yezinzuzo zokuhogela kwe-JavaScript ezisebenza ohlangothini lweklayenti lewebhusayithi ukusebenza kwayo ngezindlela eziningi: ikhodi enonya eshumekwe kuwebhusayithi ingantshontsha noma yiluphi uhlobo lwedatha, kungaba ulwazi lokukhokha noma ukungena ngemvume nephasiwedi ku-akhawunti yomsebenzisi. Ochwepheshe be-Group-IB bathole isampula yomuntu othungayo womndeni wakwa-ReactGet, oklanyelwe ukweba amakheli e-imeyili namaphasiwedi wabasebenzisi besayithi.
Isiphambano-ndlela nesiphunga se-ImageID
Ngesikhathi kuhlaziywa esinye sezitolo esinegciwane, kwatholakala ukuthi iwebhusayithi yaso yatheleleka kabili: ngaphezu kwekhodi enonya yomndeni wakwa-ReactGet, kutholwe ikhodi yesiduphunga somndeni we-ImageID. Lokhu kugqagqana kungase kube ubufakazi bokuthi ama-opharetha asekela ukusetshenziswa kwazo zombili izihoxi zisebenzisa amasu afanayo ukuze ajove ikhodi enonya.
I-Universal sniffer
Ngesikhathi sokuhlaziywa kwelinye lamagama esizinda ahlobene nengqalasizinda ye-ReactGet sniffer, kutholwe ukuthi umsebenzisi ofanayo ubhalise amanye amagama esizinda amathathu. Lezi zizinda ezintathu zilingise izizinda zamasayithi empilo yangempela futhi ngaphambilini bezisetshenziswa ukusingatha abantu abahogelayo. Lapho kuhlaziywa ikhodi yamasayithi amathathu asemthethweni, kutholwe i-sniffer engaziwa, futhi ukuhlaziya okwengeziwe kwabonisa ukuthi lena inguqulo ethuthukisiwe ye-ReactGet sniffer. Zonke izinguqulo ezilandelelwe ngaphambilini zalo mndeni wabahogelayo beziqondiswe kusistimu yokukhokha eyodwa, okusho ukuthi, inguqulo ekhethekile ye-sniffer ibidingeka kusistimu yokukhokha ngayinye. Kodwa-ke, kulesi simo, kutholwe inguqulo yendawo yonke ye-sniffer, ekwazi ukweba ulwazi kumafomu ahlobene nezinhlelo zokukhokha ezihlukene eziyi-15 namamojula wezindawo ze-ecommerce ukuze uthole izinkokhelo ze-inthanethi.
Ngakho-ke, ekuqaleni komsebenzi, i-sniffer yafuna izinkundla zefomu eziyisisekelo eziqukethe ulwazi lomuntu siqu lwesisulu: igama eligcwele, ikheli lendawo, inombolo yocingo.
I-sniffer ibe isisesha ngaphezu kweziqalo ezihlukene ezingu-15 ezihambisana nezinhlelo zokukhokha ezihlukene namamojula wezinkokhelo ze-inthanethi.
Okulandelayo, idatha yomuntu siqu kanye nolwazi lokukhokha kwaqoqwa ndawonye futhi kwathunyelwa kusayithi elilawulwa umhlaseli: kulesi simo, izinguqulo ezimbili ze-ReactGet sniffer yendawo yonke zitholwe zitholakala kumasayithi amabili ahlukene agqekeziwe. Kodwa-ke, zombili izinguqulo zithumele idatha entshontshiwe kusayithi elifanayo eligqekeziwe. zoobashop.com.
Ukuhlaziywa kweziqalo ezisetshenziswa umdunusi ukuthola izinkambu eziqukethe ulwazi lwenkokhelo yesisulu kunqume ukuthi le sampuli yokuhogela iqondiswe kumasistimu okukhokha alandelayo:
- Authorize.Net
- I-Verisign
- Idatha yokuqala
- I-USAePay
- I-Stripe
- PayPal
- ANZ eGate
- I-Braintree
- Imali Yedatha (MasterCard)
- Izinkokhelo ze-Realex
- I-PsiGate
- I-Heartland Payment Systems
Yimaphi amathuluzi asetshenziselwa ukweba ulwazi lokukhokha
Ithuluzi lokuqala elitholwe ngesikhathi sokuhlaziywa kwengqalasizinda yabahlaseli lisebenzela ukufiphaza imibhalo enonya enesibopho sokweba amakhadi asebhange. Iskripthi se-bash esisebenzisa i-CLI yephrojekthi sitholwe komunye wabasingathi babahlaseli. ukwenza ngokuzenzakalelayo i-sniffer code obfuscation.
Ithuluzi lesibili elitholiwe lenzelwe ukukhiqiza ikhodi enesibopho sokulayisha i-sniffer eyinhloko. Leli thuluzi lakha ikhodi ye-JavaScript ehlola ukuthi umsebenzisi usekhasini lokuphuma yini ngokusesha ikheli lamanje lomsebenzisi leyunithi yezinhlamvu. Hlola, inqola nokunye, futhi uma umphumela ulungile, khona-ke ikhodi ilayisha i-sniffer eyinhloko kusuka kuseva yomhlaseli. Ukuze ufihle umsebenzi omubi, yonke imigqa, okuhlanganisa imigqa yokuhlola yokunquma ikhasi lokukhokha, kanye nesixhumanisi esiya kumdunusi, ibhalwa ngekhodi kusetshenziswa. isisekelo64.
Ukuhlaselwa kobugebengu bokweba imininingwane ebucayi
Ngesikhathi sokuhlaziywa kwengqalasizinda yenethiwekhi yabahlaseli, kutholwe ukuthi iqembu lobugebengu livamise ukusebenzisa ubugebengu bokweba imininingwane ebucayi ukuze lithole ukufinyelela kuphaneli yokulawula yesitolo se-inthanethi esiqondiwe. Abahlaseli babhalisa isizinda esibukeka njengesizinda sesitolo bese bethumela ifomu lokungena elingumgunyathi le-Magento kuso. Uma kuphumelele, abahlaseli bazothola ukufinyelela kuphaneli yokulawula ye-Magento CMS, okubanikeza ikhono lokuhlela izingxenye zesayithi futhi basebenzise okokuthungatha ukuze bantshontshe idatha yekhadi lesikweletu.
Ingqalasizinda
| Isizinda | Usuku lokutholwa/ukuvela |
|---|---|
| mediapack.info | 04.05.2017 |
| adsgetapi.com | 15.06.2017 |
| simcounter.com | 14.08.2017 |
| mageanalytics.com | 22.12.2017 |
| maxstatics.com | 16.01.2018 |
| reactjsapi.com | 19.01.2018 |
| mxcounter.com | 02.02.2018 |
| apittatus.com | 01.03.2018 |
| orderracker.com | 20.04.2018 |
| tagtracking.com | 25.06.2018 |
| adsapigate.com | 12.07.2018 |
| trusttracker.com | 15.07.2018 |
| fbstatspartner.com | 02.10.2018 |
| billgetstatus.com | 12.10.2018 |
| www.aldenmlilhouse.com | 20.10.2018 |
| balletbeautlful.com | 20.10.2018 |
| bargalnjunkie.com | 20.10.2018 |
| payselector.com | 21.10.2018 |
| tagsmediaget.com | 02.11.2018 |
| hs-payments.com | 16.11.2018 |
| ordercheckpays.com | 19.11.2018 |
| geissee.com | 24.11.2018 |
| gtmproc.com | 29.11.2018 |
| livegetpay.com | 18.12.2018 |
| sydneysalonsupplies.com | 18.12.2018 |
| newrelicnet.com | 19.12.2018 |
| nr-public.com | 03.01.2019 |
| Cloudodesc.com | 04.01.2019 |
| ajaxstatic.com | 11.01.2019 |
| livecheckpay.com | 21.01.2019 |
| asianfoodgracer.com | 25.01.2019 |
Umndeni wakwa-G-Analytics
Lo mndeni wabantu abahogelayo usetshenziselwa ukweba amakhadi ekhasimende ezitolo ze-inthanethi. Igama lesizinda sokuqala elisetshenziswa iqembu labhaliswa ngo-April 2016, okungase kubonise ukuqala komsebenzi weqembu phakathi no-2016.
Emkhankasweni wamanje, iqembu lisebenzisa amagama esizinda alingisa amasevisi empilo yangempela njenge-Google Analytics ne-jQuery, umsebenzi wokuhogela ofihlayo onemibhalo esemthethweni namagama esizinda abukeka esemthethweni. Amawebhusayithi asebenza ngaphansi kwe-CMS Magento ahlaselwe.
I-G-Analytics isetshenziswa kanjani kukhodi yesitolo eku-inthanethi
Isici esihlukile salo mndeni ukusetshenziswa kwezindlela ezihlukahlukene zokweba ulwazi lokukhokha lomsebenzisi. Ngokungeziwe kumjovo we-JavaScript wakudala ohlangothini lweklayenti lesayithi, iqembu lobugebengu liphinde lasebenzisa indlela yokujova ikhodi ohlangothini lweseva lwesayithi, okuyimibhalo ye-PHP ecubungula okokufaka komsebenzisi. Le nqubo iyingozi ngoba yenza kube nzima kubacwaningi abavela eceleni ukuthola ikhodi enonya. Ochwepheshe be-Group-IB bathole inguqulo ye-sniffer eshumekwe kukhodi ye-PHP yesayithi, besebenzisa isizinda njengesango. dittm.org.
Inguqulo yokuqala yomuntu othungayo nayo yatholwa esebenzisa isizinda esifanayo ukuqoqa idatha entshontshiwe. dittm.org, kodwa le nguqulo isivele ihloselwe ukufakwa ohlangothini lweklayenti esitolo se-inthanethi.
Kamuva, leli qembu lashintsha amaqhinga alo futhi laqala ukunaka kakhulu ukufihlwa kwezenzo ezinonya nokucasha.
Ekuqaleni kuka-2017, iqembu laqala ukusebenzisa isizinda jquery-js.comukuzenza njenge-CDN ye-jQuery: iqondisa kabusha umsebenzisi kusayithi elisemthethweni lapho eya kusayithi eliyingozi jquery.com.
Futhi maphakathi no-2018, leli qembu lamukela igama lesizinda g-analytics.com futhi yaqala ukufihla umsebenzi we-sniffer njengesevisi ye-Google Analytics esemthethweni.
Ukuhlaziywa Kwenguqulo
Ngesikhathi sokuhlaziywa kwezizinda ezisetshenziselwa ukugcina ikhodi ye-sniffer, kwatholakala ukuthi isayithi linenani elikhulu lezinguqulo ezihlukile phambi kwe-obfuscation, kanye nokuba khona noma ukungabikho kwekhodi engafinyeleleki engezwe efayeleni ukuze kuphazamise ukunaka. futhi ufihle ikhodi enonya.
Ingqikithi esizeni jquery-js.com kuhlonzwe izinhlobo eziyisithupha zabahogelayo. Laba bantu abahogelayo bathumela idatha entshontshiwe ekhelini elitholakala kusayithi efanayo nomdunusi ngokwawo: hxxps://jquery-js[.]com/latest/jquery.min.js:
- hxxps://jquery-js[.]com/jquery.min.js
- hxxps://jquery-js[.]com/jquery.2.2.4.min.js
- hxxps://jquery-js[.]com/jquery.1.8.3.min.js
- hxxps://jquery-js[.]com/jquery.1.6.4.min.js
- hxxps://jquery-js[.]com/jquery.1.4.4.min.js
- hxxps://jquery-js[.]com/jquery.1.12.4.min.js
Isizinda sakamuva g-analytics.com, esetshenziswa iqembu ekuhlaselweni kusukela maphakathi no-2018, isebenza njengendawo yokugcina abantu abaningi abahogelayo. Sekukonke, kutholwe izinguqulo eziyi-16 ezahlukahlukene ze-sniffer. Kulesi simo, isango lokuthumela idatha entshontshiwe lifihliwe njengesixhumanisi sesithombe sefomethi GIF: hxxp://g-analytics[.]com/__utm.gif?v=1&_v=j68&a=98811130&t=pageview&_s=1&sd=24-bit&sr=2560×1440&vp=2145×371&je=0&_u=AACAAEAB~&jid=1841704724&gjid=877686936&cid
= 1283183910.1527732071:
- hxxps://g-analytics[.]com/libs/1.0.1/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.10/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.11/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.12/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.13/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.14/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.15/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.16/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.3/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.4/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.5/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.6/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.7/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.8/analytics.js
- hxxps://g-analytics[.]com/libs/1.0.9/analytics.js
- hxxps://g-analytics[.]com/libs/analytics.js
Ukwenza imali ngedatha entshontshiwe
Iqembu lezigebengu lenza imali ngedatha entshontshiwe ngokuthengisa amakhadi ngesitolo esingaphansi esidalwe ngokukhethekile esihlinzeka ngamasevisi kumakhadi. Ukuhlaziywa kwezizinda ezisetshenziswa abahlaseli kwenze kwaba nokwenzeka ukunquma lokho google-analytics.cm ibhaliswe ngumsebenzisi ofanayo nesizinda ikhadiz.vc. Isizinda ikhadiz.vc ibhekisela kuma-Cardsurfs (Flysurfs), isitolo esithengisa amakhadi asebhange antshontshiwe, esithole ukuduma ngesikhathi semakethe engaphansi komhlaba ye-AlphaBay njengesitolo esithengisa amakhadi asebhange antshontshiwe kusetshenziswa umuntu ohogela iphunga.
Ukuhlaziya isizinda i-analytic.is, etholakala kuseva efanayo nezizinda ezisetshenziswa abantu abahogelayo ukuqoqa idatha eyebiwe, Ochwepheshe beQembu-IB bathole ifayela eliqukethe amalogi okwebiwa kwe-Cookie, okubukeka sengathi, kamuva lashiywa unjiniyela. Okunye okufakiwe kulogi bekuqukethe isizinda iozoz.com, eyake yasetshenziswa ngaphambilini kwesinye sezihogela ezisebenzayo ngo-2016. Ngokunokwenzeka, lesi sizinda sake sasetshenziswa umhlaseli ukuqoqa amakhadi antshontshiwe kusetshenziswa isiduphunga. Lesi sizinda sibhaliswe ekhelini le-imeyili [i-imeyili ivikelwe], eyasetshenziswa futhi ukubhalisa izizinda cardz.su и ikhadiz.vcezihlobene nesitolo samakhadi se-Cardsurfs.
Ngokusekelwe kudatha etholiwe, kungase kucatshangwe ukuthi umndeni wakwa-G-Analytics we-sniffer kanye nesitolo samakhadi asebhange e-Cardsurfs esingaphansi komhlaba ziphethwe abantu abafanayo, futhi isitolo sisetshenziselwa ukudayisa amakhadi asebhange antshontshiwe kusetshenziswa isinufi.
Ingqalasizinda
| Isizinda | Usuku lokutholwa/ukuvela |
|---|---|
| iozoz.com | 08.04.2016 |
| dittm.org | 10.09.2016 |
| jquery-js.com | 02.01.2017 |
| g-analytics.com | 31.05.2018 |
| google-analytics.is | 21.11.2018 |
| i-analytic.to | 04.12.2018 |
| google-analytics.to | 06.12.2018 |
| google-analytics.cm | 28.12.2018 |
| i-analytic.is | 28.12.2018 |
| googlelc-analytics.cm | 17.01.2019 |
Umndeni wakwa-Illum
I-Illum iwumndeni wabantu abahogelayo abasetshenziswa ukuhlasela izitolo eziku-inthanethi ezisebenzisa i-Magento CMS. Ngaphezu kokujova ikhodi enonya, abaqhubi balesi siduphunga baphinde basebenzise ukwethulwa kwamafomu okukhokha omgunyathi agcwele athumela idatha kumasango alawulwa abahlaseli.
Lapho kuhlaziywa ingqalasizinda yenethiwekhi esetshenziswa abaqhubi bale sniffer, kwaphawulwa inani elikhulu lemibhalo engalungile, ukuxhashazwa, amafomu okukhokha omgunyathi, kanye neqoqo lezibonelo eziqhudelana ne-sniffer enonya. Ngokusekelwe olwazini mayelana nezinsuku zokuvela kwamagama wesizinda asetshenziswa iqembu, kungacatshangwa ukuthi ukuqala komkhankaso kuwela ekupheleni kuka-2016.
Isetshenziswa kanjani i-Illum kukhodi yesitolo esiku-inthanethi
Izinguqulo zokuqala ezitholiwe ze-sniffer zashumekwa ngqo kukhodi yesayithi eyonakalisiwe. Idatha eyebiwe ithunyelwe ku cdn.illum[.]pw/records.php, isango lalibhalwe ngekhodi isisekelo64.
Kamuva, kwatholakala inguqulo ehlanganisiwe ye-sniffer kusetshenziswa isango elihlukile - records.nstatistics[.]com/records.php.
Ngokusho U-Willem de Groot, umsingathi ofanayo wasetshenziswa ku-sniffer eyaqaliswa ukusebenza , ephethwe yiqembu lezombusazwe laseJalimane i-CSU.
Ukuhlaziywa kwesayithi lokuhlasela
Ochwepheshe be-Group-IB bathole futhi bahlaziya isayithi esetshenziswa yileli qembu lezigebengu ukugcina amathuluzi nokuqoqa ulwazi oluntshontshiwe.
Phakathi kwamathuluzi atholwe kuseva yomhlaseli kutholwe imibhalo nokuxhashazwa kwelungelo lokwanda ku-Linux OS: isibonelo, i-Linux Privilege Escalation Check Script, eyakhiwe uMike Czumak, kanye nokuxhashazwa kwe-CVE-2009-1185.
Abahlaseli basebenzise izikhali ezimbili ngokuqondile ukuze bahlasele izitolo eziku-inthanethi: ekwazi ukufaka ikhodi enonya core_config_data ngokusebenzisa i-CVE-2016-4010, isebenzisa ubungozi be-RCE kuma-plugin we-Magento CMS, okuvumela ikhodi engafanele ukuthi ifakwe kuseva yewebhu esengozini.
Futhi, phakathi nokuhlaziywa kweseva, kutholwe amasampula ahlukahlukene abantu abahogelayo namafomu okukhokha omgunyathi, asetshenziswa abahlaseli ukuqoqa ulwazi lokukhokha kumasayithi agqekeziwe. Njengoba ungabona ohlwini olungezansi, ezinye izikripthi zidalwe ngazodwana kusayithi ngalinye eligqekeziwe, kuyilapho isisombululo sendawo yonke sisetshenziselwa i-CMS ethile namasango okukhokha. Ngokwesibonelo, scripts segapay_standard.js и segapay_onpage.js yakhelwe ukuthi ishumekwe kumasayithi kusetshenziswa isango lokukhokha le-Sage Pay.
Uhlu lwemibhalo yamasango okukhokha ahlukahlukene
| Iskripthi | Isango Lokukhokha |
|---|---|
| [.]pw/mjs_special/visiondirect.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/topdirenshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/tiendalenovo.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/pro-bolt.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/plae.co.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/ottolenghi.co.uk.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/oldtimecandy.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/mylook.ee.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/luluandsky.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/julep.com.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs_special/gymcompany.es.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/grotekadoshop.nl.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs_special/fushi.co.uk.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/fareastflora.com.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs_special/compuindia.com.js | //request.payrightnow[.]cf/alldata.php |
| [.]pw/mjs/segapay_standart.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/segapay_onpage.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/replace_standard.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/mjs/all_inputs.js | //cdn.illum[.]pw/records.php |
| [.]pw/mjs/add_inputs_standart.js | //request.payrightnow[.]cf/checkpayment.php |
| [.]pw/magento/payment_standard.js | //cdn.illum[.]pw/records.php |
| [.]pw/magento/payment_redirect.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_redcrypt.js | //payrightnow[.]cf/?payment= |
| [.]pw/magento/payment_forminsite.js | //paymentnow[.]tk/?payment= |
Umsingathi paynow[.]tk, esetshenziswa njengesango embhalweni pay_forminsite.js, kwatholakala njenge subjectAltName kuzitifiketi ezimbalwa ezihlobene nesevisi ye-CloudFlare. Ngaphezu kwalokho, umbhalo wawutholakala kumsingathi okubi.js. Uma sibheka igama lombhalo, ibingase isetshenziswe njengengxenye yokuxhaphaza i-CVE-2016-4010, ngenxa yokuthi kungenzeka ukuthi kujove ikhodi enonya ngaphansi kwesayithi esebenzisa i-Magento CMS. Lesi script sisebenzise umsingathi njengesango request.requestnet[.]tk, usebenzisa isitifiketi esifanayo nesomsingathi paynow[.]tk.
Amafomu okukhokha mbumbulu
Isibalo esingezansi sibonisa isibonelo sefomu lokufaka idatha yekhadi. Leli fomu lisetshenziswe ngokunyenya kuwebhusayithi yesitolo se-inthanethi futhi kwebiwe imininingwane yekhadi.
Isibalo esilandelayo siyisibonelo sefomu lokukhokha le-PayPal elingumgunyathi elasetshenziswa abahlaseli ukuze bangene kumasayithi besebenzisa le ndlela yokukhokha.
Ingqalasizinda
| Isizinda | Usuku lokutholwa/ukuvela |
|---|---|
| cdn.illum.pw | 27/11/2016 |
| records.nstatistics.com | 06/09/2018 |
| isicelo.payrightnow.cf | 25/05/2018 |
| paynow.tk | 16/07/2017 |
| ulayini wokukhokha.tk | 01/03/2018 |
| paypal.cf | 04/09/2017 |
| requestnet.tk | 28/06/2017 |
Umndeni wakwaCoffeeMokko
Umndeni wakwa-CoffeMokko wabanuki oklanyelwe ukweba amakhadi asebhange abasebenzisi besitolo se-inthanethi usetshenziswe kusukela okungenani ngoMeyi 2017. Ngokunokwenzeka, iqembu lezigebengu leQembu 1 elichazwe ngochwepheshe be-RiskIQ ngo-2016 liyi-opharetha yalo mndeni wabahogelayo. Amawebhusayithi asebenzisa i-CMS njengeMagento, OpenCart, WordPress, osCommerce, Shopify ahlaselwa.
I-CoffeMokko ishumekwe kanjani kukhodi yesitolo se-inthanethi
Abasebenzi balo mndeni bakha iziphunga ezihlukile zokutheleleka ngakunye: ifayela le-sniffer litholakala ohlwini lwemibhalo. src noma js kuseva yomhlaseli. Ukuqaliswa kukhodi yesayithi kwenziwa ngesixhumanisi esiqondile kumuntu ohogelayo.
Ikhodi yokuhogela ifaka amakhodi kanzima amagama ezinkambu zefomu ofuna ukweba kuzo idatha. I-sniffer iphinde ihlole ukuthi umsebenzisi usekhasini lokukhokha ngokubheka uhlu lwamagama angukhiye ngokumelene nekheli lamanje lomsebenzisi.
Ezinye izinguqulo ezitholiwe ze-sniffer zenziwa obala futhi ziqukethe iyunithi yezinhlamvu ebethelwe egcina uhlu olukhulu lwezinsiza: iqukethe amagama ezinkambu zefomu zamasistimu okukhokha ahlukahlukene, kanye nekheli lesango okufanele kuthunyelwe kulo idatha eyebiwe.
Ulwazi lokukhokha oluntshontshiwe luthunyelwe kuskripthi esikuseva yabahlaseli endleleni. /savePayment/index.php noma /tr/index.php. Ngokunokwenzeka, lesi skripthi sisetshenziselwa ukuthumela idatha kusuka esangweni kuya kuseva eyinhloko, ehlanganisa idatha evela kubo bonke abahogelayo. Ukufihla idatha edlulisiwe, yonke imininingwane yokukhokha yomuntu ohlukumezekile ibhalwa ngekhodi kusetshenziswa isisekelo64, bese kushintshwa izinhlamvu eziningana:
- uhlamvu "e" luthathelwa indawo ":"
- uphawu "w" luthathelwa indawo "+"
- uhlamvu oluthi "o" luthathelwe indawo u-"%"
- uhlamvu "d" luthathelwa indawo "#"
- uhlamvu "a" luthathelwa indawo "-"
- uphawu "7" luthathelwa indawo "^"
- uhlamvu u-"h" luthathelwa indawo u-"_"
- uphawu "T" luthathelwa indawo "@"
- uhlamvu "0" luthathelwa indawo "/"
- uhlamvu "Y" luthathelwa indawo "*"
Njengomphumela wokushintsha izinhlamvu ezifakwe ngekhodi isisekelo64 idatha ayikwazi ukukhishwa ikhodi ngaphandle kokuguqulwa okuphambene.
Lena yindlela ucezu lwekhodi lokuhogela olungakafihlwanga lubukeka kanjena:
Ukuhlaziywa kwengqalasizinda
Emikhankasweni yokuqala, abahlaseli babhalise amagama esizinda afana nalawo amasayithi okuthenga aku-inthanethi asemthethweni. Isizinda sabo singahluka kwesisemthethweni ngohlamvu olulodwa noma omunye i-TLD. Izizinda ezibhalisiwe zisetshenzisiwe ukuze kugcinwe ikhodi yokuhogela, isixhumanisi esishumekwe kukhodi yesitolo.
Leli qembu liphinde lasebenzisa amagama wesizinda okusikhumbuza ama-plugin adumile e-jQuery (slickjs[.]org kumasayithi asebenzisa i-plugin i-slick.js), amasango okukhokha (sagecdn[.]org kumasayithi asebenzisa uhlelo lokukhokha lwe-Sage Pay).
Kamuva, iqembu laqala ukudala izizinda amagama azo ayengahlangene nhlobo nesizinda sesitolo noma itimu yesitolo.
Isizinda ngasinye sasihambisana nesizinda lapho uhla lwemibhalo lwakhiwe khona /js noma / src. Imibhalo ye-sniffer yagcinwa kulolu hlu lwemibhalo: isiphunga esisodwa sokutheleleka okusha ngakunye. I-sniffer yethulwe kukhodi yesayithi ngesixhumanisi esiqondile, kodwa ezimweni ezingavamile, abahlaseli balungise elinye lamafayela esayithi futhi bangeze ikhodi engalungile kulo.
Ukuhlaziywa kwekhodi
I-algorithm yokuqala ye-Obfuscation
Kwamanye amasampula ahogelayo alo mndeni, ikhodi iye yafiphazwa futhi iqukethe idatha ebethelwe edingekayo ukuze lowo othungayo asebenze: ikakhulukazi, ikheli lesango lomuntu ohogelayo, uhlu lwezinkambu zefomu lokukhokha, futhi kwezinye izimo, ikhodi yefomu lokukhokha lomgunyathi. Ekhodini engaphakathi komsebenzi, izinsiza bezibethelwe ngazo XOR ngokhiye ophasiswe njengengxabano kumsebenzi ofanayo.
Ngokususa ukubethela kweyunithi yezinhlamvu ngokhiye ohambisanayo, ohlukile kusampula ngayinye, ungathola iyunithi yezinhlamvu equkethe yonke imigqa evela kukhodi yokuhogela ehlukaniswe uhlamvu lwe-delimiter.
I-algorithm yesibili ye-obfuscation
Kumasampuli akamuva alo mndeni wabahogelayo, kusetshenziswe indlela ehlukile yokufihla i-obfuscation: kulesi simo, idatha yabethelwa kusetshenziswa i-algorithm yokuzibhalela. Iyunithi yezinhlamvu equkethe idatha ebethelwe edingekayo ukuze i-sniffer isebenze idluliselwe njengempikiswano yomsebenzi wokususa ukubethela.
Usebenzisa ikhonsoli yesiphequluli, ungakwazi ukususa ukubethela kwedatha ebethelwe futhi uthole amalungu afanayo aqukethe izinsiza zokuhogela.
Xhuma ekuhlaselweni kwangaphambi kwesikhathi kwe-MageCart
Ekuhlaziyweni kwesinye sezizinda ezisetshenziswa yiqembu njengesango lokuqoqa imininingwane eyebiwe, kwatholakala ukuthi ingqalasizinda yokweba amakhadi esikweletu yasetshenziswa kulesi sizinda, efana naleyo esetshenziswa iQembu 1, elinye lamaqembu okuqala, Ochwepheshe be-RiskIQ.
Amafayela amabili atholwe kumsingathi womndeni wakwa-CoffeMokko sniffer:
- i-mage.js — ifayela eliqukethe ikhodi yokuhogela yeQembu 1 elinekheli lesango js-cdn.link
- mag.php - Umbhalo we-PHP onesibopho sokuqoqa idatha eyebiwe ngumuntu othungayo
Okuqukethwe kwefayela le-mage.js
Kuphinde kwanqunywa ukuthi izizinda zakuqala ezasetshenziswa iqembu elingemuva komndeni wama-CffeMokko sniffer zabhaliswa ngomhla ka-May 17, 2017:
- isixhumanisi-js[.]isixhumanisi
- info-js[.]isixhumanisi
- track-js[.]isixhumanisi
- map-js[.]isixhumanisi
- isixhumanisi se-smart-js[.]
Ifomethi yala magama esizinda iyafana namagama esizinda seQembu 1 asetshenziswe ekuhlaselweni kuka-2016.
Ngokusekelwe emaqinisweni atholiwe, kungacatshangwa ukuthi kukhona ukuxhumana phakathi kwabaqhubi be-CoffeMokko abahogela kanye neqembu lezigebengu le-Group 1. Ngokunokwenzeka, opharetha be-CoffeMokko bangase babe namathuluzi abolekayo nesofthiwe ukuze bantshontshe amakhadi kubanduleli babo. Kodwa-ke, kungenzeka ukuthi iqembu lezigebengu elilandela ukusetshenziswa komndeni wakwaCffeMokko lingabantu abafanayo abenze lokhu kuhlasela njengengxenye yemisebenzi yeQembu 1. Ngemva kokushicilelwa kombiko wokuqala mayelana nemisebenzi yeqembu lezigebengu, bonke amagama wesizinda avinjiwe, futhi amathuluzi afundwa ngokuningiliziwe futhi achazwa. Iqembu laphoqeleka ukuthi lithathe ikhefu, lilungise amathuluzi alo angaphakathi futhi libhale kabusha ikhodi yokuhogela ukuze liqhubeke nokuhlasela futhi lihlale lingabonwa.
Ingqalasizinda
| Isizinda | Usuku lokutholwa/ukuvela |
|---|---|
| link-js.link | 17.05.2017 |
| info-js.link | 17.05.2017 |
| ithrekhi-js.link | 17.05.2017 |
| imephu-js.link | 17.05.2017 |
| i-smart-js.link | 17.05.2017 |
| adorebeauty.org | 03.09.2017 |
| security-payment.su | 03.09.2017 |
| braindn.org | 04.09.2017 |
| sagecdn.org | 04.09.2017 |
| slickjs.org | 04.09.2017 |
| oakandfort.org | 10.09.2017 |
| citywnery.org | 15.09.2017 |
| dobell.su | 04.10.2017 |
| childrensplayclothing.org | 31.10.2017 |
| jewsondirect.com | 05.11.2017 |
| shop-rnib.org | 15.11.2017 |
| closetlondon.org | 16.11.2017 |
| misshaus.org | 28.11.2017 |
| battery-force.org | 01.12.2017 |
| kik-vape.org | 01.12.2017 |
| greatfurnituretradingco.org | 02.12.2017 |
| etradesupply.org | 04.12.2017 |
| replacemyremote.org | 04.12.2017 |
| all-about-sneakers.org | 05.12.2017 |
| mage-checkout.org | 05.12.2017 |
| nililotan.org | 07.12.2017 |
| lamoodbighat.net | 08.12.2017 |
| walletgear.org | 10.12.2017 |
| dahlie.org | 12.12.2017 |
| davidsfootwear.org | 20.12.2017 |
| blackriverrimaging.org | 23.12.2017 |
| exrpesso.org | 02.01.2018 |
| amapaki.su | 09.01.2018 |
| pmtonline.su | 12.01.2018 |
| otocap.org | 15.01.2018 |
| christohperward.org | 27.01.2018 |
| coffeetea.org | 31.01.2018 |
| energycoffe.org | 31.01.2018 |
| energytea.org | 31.01.2018 |
| teacoffe.net | 31.01.2018 |
| adaptivecss.org | 01.03.2018 |
| coffemokko.com | 01.03.2018 |
| londontea.net | 01.03.2018 |
| ukcoffe.com | 01.03.2018 |
| labbe.biz | 20.03.2018 |
| ibhethrinart.com | 03.04.2018 |
| btosports.net | 09.04.2018 |
| chicksaddlery.net | 16.04.2018 |
| paypay.org | 11.05.2018 |
| ar500arnor.com | 26.05.2018 |
| authorizecdn.com | 28.05.2018 |
| slickmin.com | 28.05.2018 |
| bannerbuzz.info | 03.06.2018 |
| kandypens.net | 08.06.2018 |
| mylrendyphone.com | 15.06.2018 |
| freshchat.info | 01.07.2018 |
| 3lift.org | 02.07.2018 |
| abtasty.net | 02.07.2018 |
| mechat.info | 02.07.2018 |
| zoplm.com | 02.07.2018 |
| zapaljs.com | 02.09.2018 |
| foodandcot.com | 15.09.2018 |
| freshdepor.com | 15.09.2018 |
| swappastore.com | 15.09.2018 |
| verywellfitness.com | 15.09.2018 |
| elegrina.com | 18.11.2018 |
| majsurplus.com | 19.11.2018 |
| top5value.com | 19.11.2018 |
Source: www.habr.com