Recorded Future a analysé les données actuelles de la plateforme Recorded Future®, les rapports sur la sécurité de l'information et d'autres sources de renseignements open source (OSINT) afin d'identifier les renifleurs qui facilitent les campagnes des acteurs malveillants. Ce rapport approfondit les conclusions présentées dans le rapport «Automatisation et banalisation dans l'économie souterraine », qui fait suite à des rapports sur violations de bases de données, vérificateurs et forceurs bruts, chargeurs et crypteurs. Ce rapport intéressera tout particulièrement les défenseurs de réseaux, les chercheurs en sécurité et les cadres chargés de la gestion et de l'atténuation des risques de sécurité.

Executive Summary

As global business is migrating toward conducting more transactions online, threat actors have become more invested in identifying and exploiting vulnerabilities in website payment processing systems and interfaces, particularly ones that permit threat actors to inject malicious JavaScript (JS) and exfiltrate customer data and payment card details.

As this and previous Recorded Future reporting highlights, the injection of malicious JS code into websites is not reserved to Magecart — an umbrella term for threat actor groups employing this technique — but is also being marketed by multiple threat actors on the dark web who develop customized payment sniffers that are updated regularly, contain multiple capabilities, and are available for purchase or rent. These readily available sniffer variants permit cybercriminals to steal and harvest sensitive information from compromised payment processing websites. As long as these attacks keep paying dividends, threat actors like the three profiled in this report are likely to continue to develop and sell customized sniffers that are capable of defeating updated security measures and alerts.

Key Judgments

• Dark web threat actors are using high-tier dark web sources to advertise and sell customized JS sniffers that are designed and regularly updated to harvest credentials once injected into a website’s payment processes.
• Customized sniffer variants contain multiple capabilities and functionalities, including easy-to-use interfaces, as well as the ability to organize compromised data into digestible formats, delete recurring payment card data, extract personally identifiable information (PII), and defeat antivirus settings.
• Due to the public successes around Magecart attacks, threat actors are likely to continue to take an interest in sniffers and will use dark web sources to advertise and purchase customized sniffer variants.

Background

In today’s cyber threat landscape, threat actors deploy three common tactics, techniques, and procedures (TTPs) when stealing payment card numbers and other personally identifiable information (PII): skimmers and shimmers, point-of-sale (PoS) malware, and sniffers. We define these techniques, which are not interchangeable, as follows:

• Skimmers et Shimmers: Dispositifs matériels qui sont insérés ou placés sur les distributeurs automatiques de billets, les pompes à essence et d'autres terminaux de paiement physiques. Ces dispositifs sont conçus pour extraire les données des pistes 1 et 2 des cartes de paiement et parfois les codes PIN.
• Logiciel malveillant au point de vente: code ou logiciel malveillant qui cible les terminaux de paiement et est conçu pour capturer les données de paiement des pistes 1 ou 2, qui peuvent dans certains cas être utilisées pour effectuer des transactions sans présentation de la carte (CNP). Techniquement, les logiciels malveillants PoS peuvent se livrer à du reniflage, mais il s'agit généralement de reniflage de réseau et non de paiement. Recorded Future a identifié au moins 92 variantes de logiciels malveillants visant les points de vente.
• Sniffers: Malicious code, usually JavaScript (JS), that is injected onto a website’s payment system and is designed to steal payment card information, including card verification values (CVVs), the three- or four-digit number on the back of credit cards, as well as other PII. Methods of code injection include XSS attacks, formjacking, third-party code, and library reuse.

À mesure que les ventes en ligne et via les appareils mobiles augmentent, les cybercriminels s'efforcent d'identifier les vulnérabilités des plateformes de commerce électronique et des pages de paiement des sites Web. En particulier en cette période de pandémie de COVID-19, où les ventes en ligne ont augmenté de 49 % en avril 2020, les cybercriminels sont financièrement motivés pour tirer profit de ces changements. Ces vulnérabilités et tendances ne sont pas seulement exploitées par des acteurs malveillants individuels, mais également par des menaces persistantes avancées (APT), telles que le groupe nord-coréen APT Lazarus, identifié en juillet 2020 et qui cible les principaux sites Web de détaillants en ligne américains et européens.

When a threat actor uses a sniffer, they inject malicious JS that automatically captures the data from the customers who visit the infected website, allowing for the automated collection of the payment card and PII of numerous customers. The sniffer forwards the compromised data to the threat actor's C2 for further processing and exploitation. Once a threat actor has successfully stolen CNP data from the checkout pages of e-commerce websites, this CNP data can then be used to purchase goods and services, or will be sold on credit card shops. Threat actors frequently use the compromised CNP data to buy highly liquid items or services, themselves using card-not-present transactions.

As addressed in this report, “Magecart,” the umbrella term used to describe threat actor groups who harvest compromised payment credentials from websites via malicious JS injection, is not the only group of threat actors using malicious JS. Recorded Future has identified and investigated dark web threat actors advertising customized sniffer variants across dark web sources that contain unique attributes and are regularly updated by operators to defeat newly implemented security measures.

Customized Sniffer Variants and the Threat Actors Behind Them

Sochi

“Sochi” is the primary moniker used by at least two different Russian-speaking persons active on at least three forums: Exploit, Verified, and Club2CRD. Sochi is the creator of the JS sniffer “Inter” and the trojan Android Red. In March 2019, Recorded Future investigated Sochi’s dark web activities and found the following intelligence:

• Additional monikers used by Sochi include: “xx5” (Verified) and “SSN” (Club2CRD).
• Criminal activities and services offered include malware development, bulletproof hosting, e-commerce website compromise, cashout, purchasing compromised banking credentials and access to websites, and resale of compromised credentials from other threat actors, including “BuyCC” and “LookigtoBuy.”
• Sochi has also offered to buy out potential accesses to online shops with any type of payment solutions: payment form on the website, iframe, or redirect. The threat actor offers up to 85 percent of the compromised payment cards from the provided access or $20,000 USD in exchange of 1,000 credit cards.

Regarding Sochi’s sniffer variant Inter, we found that the threat actor began advertising it in December 2018 and described it as a universal sniffer designed to steal CNP payment data from payment platforms, specifically Magento, OpenCart, and OsCommerce as well as websites that use iframes or third-party payment processors. Some instances of Inter were found searching for different strings such as “GetCCInfo:fuction” in the source code of a website.

Currently, Sochi is selling licenses for Inter for around $1,000, and purchases include the sniffer’s payload, user manual, 24/7 customer service, free admin panel, and upgrades. Inter has the following technical capabilities and features:

• Captured data is transformed into a GIF image format before being transferred to the control panel, which permits exfiltration via a GET request.
• The sniffer does not interfere or drop SSL connection.
• Inter is updated regularly so as to remain undetectable to antivirus software.

Billar

“Billar” is a Russian-speaking threat actor who has been active on the criminal underground since 2013 and also operates under the moniker “mr.SNIFFA.” Billar is the creator and sole designer of a JS credit card sniffer known as “mr.SNIFFA,” which they began advertising first on Exploit Forum on December 3, 2019.

**Figure 1**: Notable Billar activities from December 2019 to July 2020. (Source: Recorded Future)

On March 30, 2020, “Ubercri,” a well-known hacker and a member of multiple underground communities, shared with Exploit Forum members that some of mr.SNIFFA’s admin panels can be found via a Google search, making it easy to identify businesses and websites compromised by Billar’s sniffer variant.

On June 29, 2020, “RedBear,” an experienced malware coder, penetration tester, and reverse engineer, published on XSS Forum research that potentially identified the operator of Billar. According to RedBear, Billar is operated by “Mikhail Mikhailovich Shkrobanets.” Recorded Future analysts reviewed RedBear’s research and analyzed the steps used to identify Shkrobanets, assessing that RedBear’s research is complete and likely accurate, even though some of the steps RedBear took to identify Billar were not legal or ethical.

Currently, Billar is advertising mr.SNIFFA on Exploit Forum for about $3,000. The package includes the following features:

• A unique way of receiving, implementing, and executing malware code
• Cross-browser obfuscated data transfer
• MaxMind GeoIP integration
• An admin panel that possesses enhanced security to defeat brute-force and DDoS attacks
• 24/7 support and flexibility for any customers’ needs

Poter

“poter” is a member of several top-tier Russian-speaking underground forums, including Exploit, Verified, Korovka, as well as the low-tier forum Monopoly, first registered as far back as 2014 on some forums. poter is proficient in various types of financial fraud techniques, including e-commerce, payment card fraud, and money laundering, and is also proficient in malware coding and is a developer of various phishing and scam websites, emails, admin panels, and data grabbers that are applicable for Android, Apple, PayPal, Visa, SunTrust, Flash Player, and other organizations.

**Figure 2**: poter’s activities on the dark web. (Source: Recorded Future)

The threat actor is a well-known developer of the “Universal Sniffer,” capable of stealing payment card data and victim passwords. This sniffer variant first appeared on Exploit Forum on July 17, 2016 and was removed by the same threat actor on January 10, 2019. It is not clear why poter stopped advertising their Universal Sniffer, and other threat actors may continue to use it privately.

According to poter, the Universal Sniffer had the following basic technical features that were regularly upgraded by the threat actor:

• Written in JS
• Checked all compromised Bank Identification Numbers (BIN)
• Organized stolen payment cards in a single format
• Deleted repeating payment cards
• Grabbed login, password, and shipping/billing addresses from compromised payment cards
• Filtered out compromised payment cards by state

**Figure 3**: Sniffer admin panel displays compromised payment card field recognition settings.

**Figure 4**: Sniffer interface with compromised data can be sorted out by date, IP address, and user agent.

Initially, poter priced the sniffer at several thousand dollars, but later lowered the price to just a few hundred to attract more users. On July 16, 2018, poter announced that they had enough customers and returned the initial price for the sniffer of several thousand dollars.

Au cours de notre enquête, Recorded Future n'a trouvé aucune preuve que les trois acteurs malveillants décrits ci-dessus aient utilisé ou vendu les données de cartes bancaires compromises récupérées à l'aide de leurs sniffers personnalisés. Cependant, étant donné que les renifleurs ont pour objectif de voler des informations relatives aux cartes de paiement et que ces informations n'ont de valeur que si elles sont monétisées, il est très probable que les informations relatives aux cartes aient été vendues ou utilisées pour acheter des biens en ligne qui sont ensuite revendus. Un exemple illustrant le fonctionnement de la monétisation est l'utilisation des deux techniques par les auteurs des attaques Magecart. Des recherches ont établi un lien entre l'infrastructure liée à Magecart et des données compromises, d'une part, et au moins une boutique de carding sur le dark web, Trump's Dumps, d'autre part, ainsi que des acteurs malveillants recrutant des passeurs pour recevoir et réexpédier des marchandises achetées avec des cartes de crédit volées.

Magecart

Magecart is a modus operandi used by security researchers and the media to group different threat actors targeting e-commerce sites with JS-based credit card web skimmers used to steal CNP data. The name Magecart itself is a reference to these actors targeting sites running vulnerable plugins for the Magento platform. FlashPoint and RiskIQ indicated that Magecart was initially a single threat actor group who began operating in 2015. A second distinct group was observed in 2016, and many more have turned up since then. All types of companies, from small to large, across multiple sectors have fallen victim to Magecart-related vulnerabilities since July 2019, including Macy’s, Sweaty Betty, Volusion, and Claire’s.

Entre octobre 2018 et la date de publication de ce rapport, les analystes de Recorded Future ont observé des activités malveillantes liées aux opérateurs Magecart visant au moins 95 sites Web de vente au détail en ligne. Souvent, les différents groupes d'acteurs malveillants utilisant divers types de renifleurs sont désignés de manière générique sous le nom de Magecart. Bien que ce vecteur d'attaque semble répandu, étant donné qu'il existe au moins 12 groupes liés à Magecart et que les attaques signalées se poursuivent, seuls quelques acteurs malveillants développent, vendent et maintiennent ces sniffers.

**Figure 5**: Notable Magecart activities and attacks from July 2019 to July 2020. (Source: Recorded Future)

Over the span of 2019 and into 2020, Magecart operators transitioned from targeting third-party suppliers in an attempt to reach primary targets to injecting their JS sniffer code directly into e-commerce websites to collect payment data, later transferring the data to a command-and-control (C2) server or designated domain.

Au cours du premier trimestre 2020, les opérations de vol de données de cartes de crédit par Magecart ont continué de prospérer malgré les arrestations très médiatisées effectuées par les forces de l'ordre en Indonésie en décembre 2019. Interpol a annoncé le 27 janvier 2020 que trois individus identifiés comme ayant mené des opérations de piratage de cartes Magecart ont été arrêtés par la police fédérale indonésienne. Group-IB, qui a fourni aux forces de l'ordre les informations ayant conduit à ces arrestations, a baptisé le sous-groupe Magecart impliqué « GetBilling ». Une autre société de sécurité, Sanguine Security, a indiqué qu'elle suivait également les activités de ce groupe.

We observed references to three of these sample domains within our data set in addition to three new domains not previously disclosed by Sanguine Security. The JS sniffer operators associated with this latest campaign use injected JS on compromised retail websites and have been using a common set of JS functions over the course of this campaign. Of the 95 impacted websites observed during our research, 28 remained actively compromised in January 2020.

À l'instar de l'incident ci-dessus, un groupe lié à Magecart, nommé « Keeper » (en raison de l'utilisation du domaine fileskeeper[.]org), a mené une attaque de type « filet et hameçonnage » sur le site web de la société de sécurité informatique Kaspers pour injecter du code JS malveillant dans le code HTML du site web) a été identifié par Gemini Advisory comme ayant exploité avec succès 64 domaines d'attaque et 73 domaines d'exfiltration qui ont affecté au moins 570 sites web dans 55 pays entre avril 2017 et aujourd'hui. Parmi les sites Web touchés, environ 85 % utilisaient le système de gestion de contenu Magento, pour lequel Recorded Future a confirmé au moins 10 incidents malveillants validés depuis septembre 2018.

The scale, sophistication, and length of the abovementioned Magecart attacks indicate that Magecart threat actors are technically savvy, are able to adapt their TTPs based on improvements in website securities, and opportunistically exploit vulnerabilities (both publicly known and unknown) in payment and content management systems on websites.

Outlook and Mitigation Strategies

The dark web has become more specialized and is being used to advertise customizable tools and services and provide feedback to enhance these tools, and for threat actors to showcase their technical skills and prowess so as to gain financial reward. Due to multiple attack vectors that threat actors can use to inject malicious JS code as well as the publicly known financial successes associated with Magecart attacks, threat actors are not only likely to continue to target payment process systems on vulnerable websites but are likely to continue to develop and sell customized sniffers that are capable of defeating updated security measures and alerts. Dark web sources (forums, markets, and encrypted messengers) will continue to serve as bridges between threat actors and customers for the foreseeable future.

Below are mitigation strategies that can assist in detecting and preventing a sniffer attack:

• Perform regular audits of your website, including test purchases to identify any suspicious scripts or network behavior.
• Implement protection client-side such as web skimming or malware protection.
• Prevent any non-essential externally loaded scripts from loading on checkout pages.
• Evaluate how third-party plugins use their code, servers, and external communications on your e-commerce website, and monitor for any changes in their code or behavior.