Payment Card Data being stolen via Sniffer Malware
An Introduction to Sniffers
An attacker injects a web server with an obfuscated malicious script, which triggers once a victim visits the compromised page. The script captures the input variables, converts them to a string, and sends it to the sniffer panel hosted by the attacker.
The attacker also exploits iFrame (an inline frame used inside a webpage to load another HTML document inside it) by tricking the victims into entering additional data asked by a fake pop-up window, which is ideally not required on a legitimate page.
Once attackers successfully exfiltrate the victim’s data from a compromised website, it is processed in a commercialized format – Number | Exp | CVV | Name, and sold in underground forums, where it is used for other illicit purposes such as carding.
R3NIN Sniffer is a ready-to-use toolkit and panel for stealing payment card data from compromised e-commerce websites and is on sale in a notorious Russian-language cybercrime forum by the threat actor using the same handle, ‘r3nin’.
The sniffer toolkit is offered for an introductory price of USD 1,500 but was later revised to a pricing range of USD 3,000 to USD 4,500.
- On January 13, 2023, version 1.1 was released, which included improved functionalities for better Cross-Origin Resource Sharing (CORS) bypass and added a new functionality, ‘Extractor’.
- On January 15, version 1.2 was released, which included features to fully obfuscate malicious scripts and hide URLs of the Command and Control (C&C) server.
- On January 26, another update was announced for adding a keylogger in the sniffer module that can log inputs from multiple input fields, i.e., ‘inputs’, ‘selects, ‘textareas’, in a compromised website.
- On January 30, support for the inline frame (iFrame) in the existing sniffer module was introduced.
A video posted by the Threat Actor/developer of the R3NIN Sniffer Panel on the advertisement thread demonstrated their sniffer panel displaying the following notable functionalities:
Generates the malicious conditional script, which triggers itself when the condition is fulfilled, i.e., the victim lands on the compromised merchant website. The attacker has to enter the targeted path on the merchant website in the dialogue box.
The video demonstrated the generation of a conditional script for the URL endpoints or path “/checkout” for the payment response gateway. The script is then injected into the targeted path, which will trigger when the victim lands on the “checkout “page.
Displays all the sniffed data from the compromised website in raw form, along with user agent and creation time.
An automatic parser that parses all the raw sniffed data and displays it in a clean format based on fields specified by the attacker. The attacker has the functionality to customize the data fields according to their preferences by entering the parameter ID used by the targeted website to identify the desired input variable(s).
The attached screenshot displays categories available on the panel for an attacker to parse the raw data in the desired format:
- Expiry Date
- Pin code
R3NIN’s toolkit can be utilized in two different ways:
Object Execution from a Standalone Script
A standalone malicious script is injected and stored on the compromised payment merchant site. It captures all the inputs entered by the victim on the compromised payment page and sends them to the configured sniffer panel.
Remote Execution from Sniffer Panel
Once the victim visits the compromised merchant website, the conditional script generated from the sniffer panel triggers and calls the obfuscated malicious script from the remote server. The malicious script is temporarily injected into the victim’s session, sniffs all the victims’ desired inputs, and sends it back to the sniffer panel.
In this method, the malicious script does not have to be stored on the merchant website and helps the attacker to keep their malicious script undetected by crawlers and anti-malware software.
The remote servers have been allegedly configured to display a white screen, which, if accessed by an external source, redirects to another configured web page. R3NIN’s developer termed this feature a “white screen display”.
PostgreSQL is used to manage the database, and the service recommends that its buyers install the Django framework for hosting the sniffer panel. The Django framework helps keep the sniffer panel more secure than PHP.
Why is Sniffer-as-a-Service Still Relevant?
Our continued research has shown a tremendous increase in the number of auctions on the Russian and English cybercrime forums, listing unauthorized backend access to online shops based on the most used e-commerce technological solutions such as Magento, WordPress, Prestashop, OpenCart, Joomla, osCommerce, and iFrame.
With a huge number of unauthorized accesses to shops on offer, threat actors are resorting to opt for R3NIN’s Sniffer Panel and other similar Sniffer-as-a-Service, which may automate and fasten up the notorious attempts to steal credit card and Personally Identifiable Information (PII) data.
These malicious tools and services will also minimize the time for the threat actors to process the stolen data to further monetize it. This is done either individually via setting up fraudulent transaction operations (i.e., carding methods) or the sale of payment card data in the underground shops (BidenCash, Yale Lodge, Russian Market, Brian Club) and cybercrime forums (BreachForums, Exploit, XSS) in bulk.
The malicious operation by sniffer occurs on a legitimate domain. The malicious scripts do not directly interact with the victim’s device, making it very difficult for a victim to identify and comprehend if the online shop is secure for a payment transaction.
However, e-commerce merchants are advised to regularly audit their payment page and servers communicating with a payment gateway to secure them from such compromises. It is also essential for banking organizations to monitor the payment card BINs that are put for sale on illicit forums and boards.