The Magecart threat group has dominated headlines for its use of malicious JavaScript code, which is injected into e-commerce websites to exfiltrate customer payment card data. But new research points to a growing industry on underground forums where so-called “sniffers” are being advertised, sold and regularly updated.
The new research, shared exclusively with Threatpost, shows an array of threat groups who over the past six months have been tracked continually developing and advertising customized payment sniffers that are updated regularly, contain multiple capabilities, and are available for purchase or rent – making this type of web based attack more readily available to cybercriminals of all calibers, from sophisticated actors to script kiddies.
“The biggest takeaway is that there exists a market, demanded by cybercriminals, for threat actors to advertise customized sniffer variants to conduct attacks against e-commerce websites through malicious JavaScript injection,” researchers with Recorded Future told Threatpost, on Thursday. “These customized sniffers contain multiple functions and are updated regularly to defeat security enhancements.”
Sniffers are malicious code (generally JavaScript) that is injected onto website payment systems via XSS attacks and otherwise. These are designed to steal payment card numbers, card verification values (the three- or four-digit number on the back of credit cards) and other personal identifiable information (PII) like names.
The Magecart group has found widespread successes in using these tools, with targets such as Ticketmaster, British Airways and other brands under its belt. The successes of Magecart-related attacks is also coupled with the increase in online shoppers due to the COVID-19 pandemic and mobile communications. These factors are spurring attackers to look to web based attacks for siphoning credit card information over the past year, researchers said.
Amidst all this, a number of threat actors have emerged on the scene offering customized sniffer variants. These contain multiple capabilities and functionalities, including easy-to-use interfaces, as well as the ability to organize compromised data into digestible formats, delete recurring payment card data, extract PII and defeat antivirus settings, researchers said.
One such Russian-speaking threat actor currently making waves is called “Billar,” which created and is the sole designer of a payment card sniffer called “Mr.SNIFFA.” This sniffer was first debuted on Exploit Forum on Dec. 3, 2019, and is currently being advertised for about $3,000. The package includes a unique way of receiving, implementing and executing malware code, cross-browser obfuscated data transfer, an admin panel that possesses the ability to defeat brute-force and DDoS attacks and 24/7 support and flexibility for customer needs.
Another group of bad actors, which go under the monikor Sochi, tout a JS sniffer variant called “Inter,” which has been active on forums like Exploit, Verified, and Club2CRD since Dec. 2018. Inter is described as a “universal sniffer” designed to steal CNP payment data from payment platforms (particularly Magento, OpenCart, and OsCommerce) and websites using iframes or third-party payment processors. Sochi sells licenses for Inter for around $1,000. These purchases include the sniffer’s payload, user manual, 24/7 customer service, free admin panel, and updates that make it undetectable to antivirus software.
While researchers did not identify evidence of these threat actors using or selling compromised carding data that was retrieved from their customized sniffers, “given that the purpose of sniffers is to steal payment card information and that information only has value if it is monetized, it is very likely that the card information must have been either sold or used to purchase goods online which are then resold,” they said.
Web based credit-card-stealing attacks have continued over the past year. Researchers earlier in 2020 identified a credit-card skimming campaign that was active since mid-April, targeting ASP.NET-based websites running on Microsoft Internet Information Services (IIS) servers. Another skimmer was observed in April from the Magecart Group that was harvesting payment-card data from 19 different victim websites.
“Due to multiple attack vectors that threat actors can use to inject malicious JS code as well as the publicly known financial successes associated with Magecart attacks, threat actors are not only likely to continue to target payment process systems on vulnerable websites but are likely to continue to develop and sell customized sniffers that are capable of defeating updated security measures and alerts,” said researchers. “Dark web sources (forums, markets, and encrypted messengers) will continue to serve as bridges between threat actors and customers for the foreseeable future.”
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Resister today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.
