A JS‑sniffer is the online equivalent of a credit card skimmer. However, while a skimmer is a small device installed on ATMs that intercepts bank card details, a JS‑sniffer is a few lines of code that cybercriminals inject into websites to capture data entered by users, such as payment card numbers, names, addresses, passwords, etc. In general, hackers sell the obtained payment data to carders on darknet forums. The price for a stolen card ranges from around $1 to $5, occasionally from $10 to $15. A significant number of underground forums where JS‑sniffers are put up for sale or rent are Russian-speaking.
Approximate estimates suggest that the profits made by JS‑sniffer developers may amount to hundreds of thousands of dollars per month. For instance, websites infected by the WebRank family of JS‑sniffers attract around 250,000 visitors every day. If the conversion on these websites was only 1%, this would mean that 2,500 shoppers carry out transactions every single day. This in turn means that, at the minimum price range charged for stolen cards, WebRank developers can make between $2,500 and $12,500 for a JS‑sniffer’s one day of «work», which amounts to $75,000 to $375,000 per month. Not to mention that WebRank is only third in the «ranking» of mass infections. Websites infected by MagentoName and CoffeMokko JS‑sniffers attract more than 440,000 visitors per day.
How JS‑sniffers attack
Group-IB’s analysis of 2,440 infected websites revealed that more than half or resources were attacked by MagentoName JS‑sniffer family, whose operators exploit vulnerabilities of older versions of the Magento CMS (Content Management System) to inject malicious code into the codes of websites powered by this CMS. More than 13% of infections are carried out by WebRank JS‑sniffers family, which attacks third-party sites to inject its malicious code into the targeted websites. More than 11% of infections are also carried out by JS‑sniffers from the CoffeMokko family, whose operators use obfuscated scripts designed to steal information from payment forms of payment systems, whose field names are hardcoded into the JS‑sniffer’s code. Such payment systems include PayPal, Verisign, Authorize.net, eWAY, Sage Pay, WorldPay, Stripe, USAePay, and others. Many JS‑sniffer families use a unique options for each payment system, which requires modifying and testing the script before each infection.
Most identified JS‑sniffers are set up to steal information from different types of payment forms of website management systems such as Magento, OpenCart, Shopify, WooCommerce, WordPress. Such JS‑sniffer families include PreMage, MagentoName, FakeCDN, Qoogle, GetBilling, and PostEval. Other JS‑Sniffers are universal and can be integrated into the code of any website, regardless of the systems used (G-Analytics, WebRank).
During its research, Group-IB discovered signs of «competition»: some JS‑sniffer families could detect and eliminate JS‑sniffers belonging to competitors that injected the victim’s website first (for example, MagentoName). Others use the «body» of the competitor’s JS‑sniffer, «taking over» the data it intercepts and transferring it to its own gate (for example, WebRank). JS‑sniffers can be modified to make it more difficult to detect them. For example, ImageID and ReactGet are able to bypass most detection systems because they are activated only when the buyer is completing their transaction on the website; the rest of the time, the JS‑sniffer is «inactive» and doesn’t give itself away. Some families have a number of unique JS‑sniffers for each infection, such as CoffeMokko. Each JS‑sniffer in this family is used only once to infect a single website.
The G-Analytics JS‑sniffers family is distinctive in that it not only injects malicious code into website’s HTML code but also the server-side PHP scripts that handle payments on e-commerce websites. This technique makes it significantly more difficult for analysts to detect the malicious code. JS‑sniffers such as ImageID and G-Analytics are able to imitate legitimate services such as Google Analytics and jQuery and disguise their malicious activity with legitimate scripts and domain names that are similar to legitimate ones.
Attacks involving JS‑sniffers can have several stages. When analysing the code of one of the infected online stores, Group-IB’s specialists discovered that the cybercriminals had not limited themselves to simply injecting the JS‑sniffer, but created a fake payment form that was loaded from a different compromised website. The form gave users two payment options: by credit card or PayPal. If the user chose to pay via PayPal, the fake form would show an error message saying that this payment method was currently unavailable, and the only way to pay was using a credit card.
Customers and buyers: how the JS‑sniffer market works
The development of the JS‑sniffer market has led to relationships between its players becoming increasingly complicated. JS‑Sniffer can be used by not only the cybercriminal group that developed it, but also by other groups that have bought or rented the JS‑sniffer as-a-service. In some cases, it is difficult to determine just how many cybercriminal groups are using a given JS‑sniffer, which is why Group-IB experts call them families, not groups.
JS‑sniffers’ cost ranges from $250 to $5,000 on underground forums. Some services offer partnerships: the customer provides access to the compromised online store and receives a share of the profits, while the JS‑sniffer developer is responsible for providing hosting servers, tech support, and an administrative panel for the customer. Such «market relationships» between developers, sellers, intermediaries and buyers on the underground market make it difficult to attribute the crime committed to a particular group. Nevertheless, the indicators collected by Group-IB linked to the activities of each of the 38 JS‑sniffer families help solve this problem. Moreover, Group-IB’s report contains detailed recommendations for all parties that may fall victim to JS‑sniffers: shoppers, banks, online stores, and payment systems. The research continues. Descriptions of analysed JS‑sniffers and new information about them are regularly uploaded to Group-IB’s Threat Intelligence system.