Almost every one of us uses the services of online stores, which means that sooner or later we run the risk of becoming a victim of JavaScript sniffers-a special code that attackers embed on the site to steal bank card data, addresses, usernames and passwords of users.
Almost 400,000 users of the British Airways website and mobile app, as well as visitors to the British website of sports giant FILA and American ticket distributor Ticketmaster, have already been affected by sniffers.
Viktor Okorokov, an analyst at Threat Intelligence Group-IB, talks about how sniffers are embedded in the site code and steal payment information, as well as which CRMs they attack.
It so happened that for a long time, JS sniffers remained out of the field of view of antivirus analysts, and banks and payment systems did not see them as a serious threat. And completely in vain. Group-IB experts analyzed 2,440 infected online stores, whose visitors-a total of about 1.5 million people a day-were at risk of being compromised. Among the victims are not only users, but also online stores, payment systems and banks that issued compromised cards.
The Group-IB report was the first study of the darknet market for sniffers, their infrastructure and monetization methods that bring their creators millions of dollars. We identified 38 families of sniffers, of which only 12 were previously known to researchers.
We will focus in detail on the four families of sniffers studied in the course of the study.
ReactGet family sniffers are used to steal bank card data on online store sites. The sniffer can work with a large number of different payment systems used on the site: one parameter value corresponds to one payment system, and individual detected versions of the sniffer can be used to steal credentials, as well as to steal bank card data from payment forms of several payment systems at once, as a so-called universal sniffer. It was found that in some cases, attackers conduct phishing attacks on administrators of online stores in order to gain access to the administrative panel of the site.
The campaign using this family of sniffers started in May 2017, and sites running CMS and Magento, Bigcommerce, and Shopify platforms were attacked.
In addition to the" classic " implementation of the script by reference, the ReactGet family of sniffer operators uses a special technique: using JavaScript code, it checks whether the current address where the user is located meets certain criteria. Malicious code will only be executed if the current URL contains the substring checkout or onestepcheckout, onepage/, out/onepag, checkout/one, ckout/one. This means that the sniffer code is executed exactly at the moment when the user goes to pay for purchases and enters payment information in the form on the site.
This sniffer uses a non-standard technique. Payment and personal data of the victim are collected together, encoded using base64, and then the resulting string is used as a parameter to send a request to the attackers ' site. Most often, the path to the gate imitates a JavaScript file, for example, resp.js, data.js and so on, but links to image, GIF, and JPG files are also used. The special feature is that the sniffer creates an image object with a size of 1 by 1 pixel and uses the link obtained earlier as the src parameter of the image. In other words, for the user, such a request in traffic will look like a request for a regular image. A similar technique was used in the ImageID family of sniffers. In addition, the technique of using a 1-by-1 pixel image is used in many legitimate online analytics scripts, which can also mislead the user.
Analysis of active domains used by ReactGet sniffer operators revealed many different versions of this family of sniffers. Versions differ in the presence or absence of obfuscation, and in addition, each sniffer is designed for a specific payment system that processes bank card payments for online stores. After going through the parameter value corresponding to the version number, Group-IB specialists got a complete list of available variations of sniffers, and by the names of the form fields that each sniffer looks for in the page code, they identified the payment systems that the sniffer is aimed at.
List of sniffers and their corresponding payment systems
Almost 400,000 users of the British Airways website and mobile app, as well as visitors to the British website of sports giant FILA and American ticket distributor Ticketmaster, have already been affected by sniffers.
Viktor Okorokov, an analyst at Threat Intelligence Group-IB, talks about how sniffers are embedded in the site code and steal payment information, as well as which CRMs they attack.
"Hidden threat"
It so happened that for a long time, JS sniffers remained out of the field of view of antivirus analysts, and banks and payment systems did not see them as a serious threat. And completely in vain. Group-IB experts analyzed 2,440 infected online stores, whose visitors-a total of about 1.5 million people a day-were at risk of being compromised. Among the victims are not only users, but also online stores, payment systems and banks that issued compromised cards.
The Group-IB report was the first study of the darknet market for sniffers, their infrastructure and monetization methods that bring their creators millions of dollars. We identified 38 families of sniffers, of which only 12 were previously known to researchers.
We will focus in detail on the four families of sniffers studied in the course of the study.
The ReactGet family
ReactGet family sniffers are used to steal bank card data on online store sites. The sniffer can work with a large number of different payment systems used on the site: one parameter value corresponds to one payment system, and individual detected versions of the sniffer can be used to steal credentials, as well as to steal bank card data from payment forms of several payment systems at once, as a so-called universal sniffer. It was found that in some cases, attackers conduct phishing attacks on administrators of online stores in order to gain access to the administrative panel of the site.
The campaign using this family of sniffers started in May 2017, and sites running CMS and Magento, Bigcommerce, and Shopify platforms were attacked.
How ReactGet is embedded in the code of an online store
In addition to the" classic " implementation of the script by reference, the ReactGet family of sniffer operators uses a special technique: using JavaScript code, it checks whether the current address where the user is located meets certain criteria. Malicious code will only be executed if the current URL contains the substring checkout or onestepcheckout, onepage/, out/onepag, checkout/one, ckout/one. This means that the sniffer code is executed exactly at the moment when the user goes to pay for purchases and enters payment information in the form on the site.
This sniffer uses a non-standard technique. Payment and personal data of the victim are collected together, encoded using base64, and then the resulting string is used as a parameter to send a request to the attackers ' site. Most often, the path to the gate imitates a JavaScript file, for example, resp.js, data.js and so on, but links to image, GIF, and JPG files are also used. The special feature is that the sniffer creates an image object with a size of 1 by 1 pixel and uses the link obtained earlier as the src parameter of the image. In other words, for the user, such a request in traffic will look like a request for a regular image. A similar technique was used in the ImageID family of sniffers. In addition, the technique of using a 1-by-1 pixel image is used in many legitimate online analytics scripts, which can also mislead the user.
Version analysis
Analysis of active domains used by ReactGet sniffer operators revealed many different versions of this family of sniffers. Versions differ in the presence or absence of obfuscation, and in addition, each sniffer is designed for a specific payment system that processes bank card payments for online stores. After going through the parameter value corresponding to the version number, Group-IB specialists got a complete list of available variations of sniffers, and by the names of the form fields that each sniffer looks for in the page code, they identified the payment systems that the sniffer is aimed at.
List of sniffers and their corresponding payment systems
Sniffer URL | Payment system |
---|---|
Authorize.Net | |
Cardsave | |
Authorize.Net | |
Authorize.Net | |
eWAY Rapid | |
Authorize.Net | |
Adyen | |
USAePay | |
Authorize.Net | |
USAePay | |
Authorize.Net | |
Moneris | |
USAePay | |
PayPal | |
Sage Pay | |
Verisign | |
PayPal | |
Stripe | |
Realex | |
PayPal | |
LinkPoint | |
PayPal | |
PayPal | |
DataCash | |
PayPal | |
Authorize.Net | |
Authorize.Net | |
Authorize.Net | |
[/TD [TD] Authorize.Net |