09.04.2019

Meet the JS-Sniffers:
ReactGet Family

Victor Okorokov
Threat Intelligence Analyst at Group-IB
The e-commerce market is booming. A rare person does not buy online now. However, the convenience of online shopping has its downsides: those who use payment cards for online shopping face countless cyber threats, JavaScript-sniffers is one of them. JS-sniffer is a malicious code that is injected into the websites designed to steal customer payment data, personal details, credentials etc. Until recently, when the first RiskIQ report on this type of malware was published, the threat posed by JS-sniffers remained under the radar of malware analysts, who deemed it insignificant and unworthy of an in-depth research. However, several incidents have shown the opposite to be true, including 380,000 victims of a JS-sniffer that infected the British Airways website and mobile app, the compromise of Ticketmaster users' payment data, and the recent incident involving the UK website of the international sporting goods giant Fila, which could have led to the theft of payment details of at least 5,600 customers. All these incidents indicate that this threat has to be taken seriously.


In our recent comprehensive report on the analysis of JavaScript-sniffers, Group-IB researchers analyzed 2440 infected ecommerce websites all around the world with a total of around 1.5 million unique daily visitors whose data could have been compromised. When a website is infected, everyone is potentially a victim – online shoppers, ecommerce websites, payment processing systems, and banks that issued compromised cards. Group-IB's report features an in-depth analysis of JS-sniffers' darknet market, their entire infrastructure and the monetization methods, which bring their developers millions of dollars. This is a first blog post in a series that features detailed technical analysis of different families of JS-sniffers.
Meet ReactGet
I think that ReactGet is one of the most interesting families of JS-sniffers, designed to steal banking cards data from online stores. Despite that ReactGet is considered as specialized JS-sniffer, it is capable of stealing payment and personal info from the websites that use a variety of different payment processing systems. In case with traditional specialized JS-sniffers, one version value corresponds to one specific payment gateway, while some of the detected versions of the ReactGet can be used for either credentials or payment information stealing from payment forms of multiple payment systems at once. It was established that in some cases, JS-sniffer's operators carry out targeted phishing attacks aimed at the online shops' administrators in order to obtain the credentials to access the administrative panel.

The campaign involving the use of the ReactGet JS-sniffer family started in May 2017. ReactGet was used to infect websites running on CMS and e-commerce platforms such as Magento, Bigcommerce, and Shopify.
Description
The analysis of infected websites made it possible to explore the techniques used to add malicious script to the HTML code of infected websites. Apart from the classic technique involving the "src" parameter, the attackers developed their own specific method: they used a JavaScript script that checks whether the URL address in the victim's browser matches, based on keywords indicating that the page is a checkout page. The malicious script starts only if the URL address includes substrings such as "checkout". The malicious script is therefore executed only after users have filled in the form with their payment and personal information.
Samples of the ReactGet JS-sniffer family use a special technique for sending stolen information to the attackers' server: the victim's payment and personal information is encoded with Base64, after which the result string is used as a parameter for the URL for sending requests to the attackers' server. In most cases, the path to the gate imitates JavaScript files such as resp.js and data.js, but sometimes the gate path looks like a URL to GIF and PNG files. The JS-sniffer's distinctive feature is that it creates a pixel-by-pixel image and uses previously generated URLs with encoded credentials as a "src" parameter for this image. In the victim's network traffic, this request looks like a simple HTTP GET request to the image. A similar technique was used in the case of the ImageID JS-sniffer family. However, the technique is also used by various legitimate services to collect statistics about website visitors, which might confuse a user.
Analysis of versions
Analysis of active domain names used by the operators of ReactGet family as script hosts and gates led to the discovery of a large number of different versions. Each version was designed for stealing credentials from the payment form of a specific payment gateway used for processing payments on e-commerce websites. In addition, the difference between these JS-sniffer versions was whether it was obfuscated or not. By fuzzing the value of the version on some of the gates, Group-IB specialists obtained the full list of versions used by the attackers. Analysing the list of payment form IDs hardcoded in each JS-sniffer made it possible to determine the target payment system of each JS-sniffer sample. See Appendix 1.
JS-sniffer for stealing passwords
One of the main features of every JS-sniffer is the ability to steal any type of data from POST forms on infected websites. JS-sniffers steal not only credit card information but also user credentials such as login and password pairs. Group-IB specialists detected a specific version of the JS-sniffer linked to the ReactGet family, which was designed to steal user email addresses and passwords from infected websites.
Overlap with ImageID JS-sniffer
While analysing one of the infected websites, it was discovered that it had been infected twice: in addition to the infection by the ReactGet JS-sniffer, the website was infected with the ImageID JS-sniffer. This could mean that operators of both JS-sniffers use similar tools and tactics to infect e-commerce websites.
Universal JS-sniffer
While analysing one of the domain names used by the attackers, it was discovered that the same actor created three other domain names imitating three legitimate websites which belonged to online stores. These domain names were used to store JS-sniffers in past waves of infection campaigns conducted by the same actors. The analysis of three infected websites showed that the JS-sniffers used on these shops were replaced by an updated version of the ReactGet JS-sniffer. In this case, the attackers used a universal version of the JS-sniffer that steals information not from one specific payment form but from 15 different types of payment forms that could be used on e-commerce websites to process payments.

During the first stages of execution, the JS-sniffer searches for basic fields containing the victim's personal information: full name, address, phone number, etc.
The JS-sniffer then searches for payment information using 15 different prefixes for various payment gateways for e-commerce websites.
The JS-sniffer's script collects the victim's payment and personal information and sends it to the server controlled by the attackers. In this case, two versions of this universal JS-sniffer stored on two compromised websites were discovered, but both versions sent stolen information to a gate located on one of these compromised websites, zoobashop.com.
Analysis of the prefixes used by the JS-sniffer to find the victim's payment information on the page allowed to determine the list of affected payment gateways. The JS-sniffer steals information from payment forms of the following payment processing systems:

  • Authorize.Net
  • Verisign
  • First Data
  • USAePay
  • Stripe
  • PayPal
  • ANZ eGate
  • Braintree
  • DataCash (MasterCard)
  • Realex Payments
  • PsiGate
  • Heartland Payment Systems
Tools
The analysis of attackers' infrastructure revealed the tools used by ReactGet operators during their attacks. The first discovered tool is aimed at obfuscation of malicious scripts responsible for stealing payment cards data. A bash script using CLI of the project javascript-obfuscator (https://github.com/javascript-obfuscator/javascript-obfuscator) for automatization of script obfuscation was discovered on one of the attackers' hosts.
The second discovered tool is aimed at generation of scripts responsible for loading the JS-sniffer. This tool generates JavaScript code which checks if the user is on the checkout page searching for keywords (e.g. checkout, card etc.) in the URL address of the victims' browser. Thus, the JS-sniffer is downloaded from the attackers' server if the user is on the checkout page. In order to hide the malicious activity all strings including test strings for checkout page detection and the link to JS-sniffer are encoded with Base64.
Phishing attacks
While analyzing the network infrastructure used by ReactGet operators, it was established that in order to access the administrative panel of the targeted online store cybercriminals quite often carry out targeted phishing attacks. The attackers register a domain that is very similar to the legitimate one used by the targeted online store, and fake admin panel access form. If successful, such phishing attacks allows cybercriminals to get access to the Magento CMS website control panel and inject a JS-Sniffer to steal customer payment data.
Infrastructure
Appendix 1
Crime without punishment: in-depth analysis of JS-sniffers
JS-sniffers pose a growing threat by attacking online stores and stealing payment data and credentials of their users. When a website is infected with JS-sniffer, everyone is a victim – online shoppers, ecommerce websites, payment processing systems, and banks that issued compromised cards. Group-IB experts have researched this type of malware and have discovered 38 families of JS-sniffers, whereas only 12 were known previously.