Crime without punishment: Group-IB issues a new report on JS‑sniffers that infected 2440 websites around the world

Group-IB, an international company that specializes in preventing cyberattacks, has issued a new comprehensive report on the analysis of JavaScript-sniffers — a type of malware designed to steal customer payment data from online stores. 2440 infected ecommerce websites with a total of around 1.5 million unique daily visitors whose data could have been compromised, were analyzed by Group-IB researchers. Group-IB’s report features an in-depth analysis of JS‑sniffers’ darknet market, their entire infrastructure and the monetization methods, which bring their developers millions of dollars.

New threats for E-commerce market

The e-commerce market is booming. A rare person does not buy online now. According to a Pew Research Center survey of U.S. adults, eight-in-ten Americans are online shoppers. However the convenience of online shopping has its downsides: users who use payment cards for online shopping face countless cyber threats, including JavaScript-sniffers.

Prior to the publication of Group-IB’s report «Crime without punishment: In-depth analysis of JS‑sniffers» the researchers at RiskIQ and Flashpoint were the first to publish a joint report on the activities of cybercriminals using JS‑sniffers. They gave the umbrella term MageCart to 12 cybercriminal groups. Group-IB experts studied the discovered JS‑sniffers and, using their own analytical systems, were able to discover their entire infrastructure and gain access to their source codes, administrative panels, and cybercriminals’ tools. This approach helped identify 38 unique JS‑sniffers’ families, 15 of which are presented in detail in the report, available for Group-IB Threat Intelligence customers. At least 8 of them were discovered and described for the very first time.

The threat posed by JS‑sniffers was long under the radar of malware analysts, who deemed it insignificant and unworthy of an in-depth research. However, several incidents have shown the opposite to be true, including: 380,000 victims of a JS‑sniffer that infected the British Airways website and mobile app, the compromise of Ticketmaster users’ payment data, and the recent incident involving the UK website of the international sporting goods giant Fila, which could have led to the theft of payment details of at least 5,600 customers. «When a website is infected, everyone is a victim — end users, payment systems, banks, and companies that sell their goods and services online,» says Dmitry Volkov, CTO and Head of Threat Intelligence at Group-IB. «The fact that there is still little known about incidents involving JS‑sniffers and the damages they cause indicates that this problem is understudied, which allows groups developing sniffers to steal money from online shoppers act with impunity and get away with it.»

JavaScript-sniffers: a «hidden threat» you don’t want to know about

A JS‑sniffer is the online equivalent of a credit card skimmer. However, while a skimmer is a small device installed on ATMs that intercepts bank card details, a JS‑sniffer is a few lines of code that cybercriminals inject into websites to capture data entered by users, such as payment card numbers, names, addresses, passwords, etc. In general, hackers sell the obtained payment data to carders on darknet forums. The price for a stolen card ranges from around $1 to $5, occasionally from $10 to $15. A significant number of underground forums where JS‑sniffers are put up for sale or rent are Russian-speaking.

Approximate estimates suggest that the profits made by JS‑sniffer developers may amount to hundreds of thousands of dollars per month. For instance, websites infected by the WebRank family of JS‑sniffers attract around 250,000 visitors every day. If the conversion on these websites was only 1%, this would mean that 2,500 shoppers carry out transactions every single day. This in turn means that, at the minimum price range charged for stolen cards, WebRank developers can make between $2,500 and $12,500 for a JS‑sniffer’s one day of «work», which amounts to $75,000 to $375,000 per month. Not to mention that WebRank is only third in the «ranking» of mass infections. Websites infected by MagentoName and CoffeMokko JS‑sniffers attract more than 440,000 visitors per day.

 

How JS‑sniffers attack

Group-IB’s analysis of 2,440 infected websites revealed that more than half or resources were attacked by MagentoName JS‑sniffer family, whose operators exploit vulnerabilities of older versions of the Magento CMS (Content Management System) to inject malicious code into the codes of websites powered by this CMS. More than 13% of infections are carried out by WebRank JS‑sniffers family, which attacks third-party sites to inject its malicious code into the targeted websites. More than 11% of infections are also carried out by JS‑sniffers from the CoffeMokko family, whose operators use obfuscated scripts designed to steal information from payment forms of payment systems, whose field names are hardcoded into the JS‑sniffer’s code. Such payment systems include PayPal, Verisign, Authorize.net, eWAY, Sage Pay, WorldPay, Stripe, USAePay, and others. Many JS‑sniffer families use a unique options for each payment system, which requires modifying and testing the script before each infection.

Most identified JS‑sniffers are set up to steal information from different types of payment forms of website management systems such as Magento, OpenCart, Shopify, WooCommerce, WordPress. Such JS‑sniffer families include PreMage, MagentoName, FakeCDN, Qoogle, GetBilling, and PostEval. Other JS‑Sniffers are universal and can be integrated into the code of any website, regardless of the systems used (G-Analytics, WebRank).

During its research, Group-IB discovered signs of «competition»: some JS‑sniffer families could detect and eliminate JS‑sniffers belonging to competitors that injected the victim’s website first (for example, MagentoName). Others use the «body» of the competitor’s JS‑sniffer, «taking over» the data it intercepts and transferring it to its own gate (for example, WebRank). JS‑sniffers can be modified to make it more difficult to detect them. For example, ImageID and ReactGet are able to bypass most detection systems because they are activated only when the buyer is completing their transaction on the website; the rest of the time, the JS‑sniffer is «inactive» and doesn’t give itself away. Some families have a number of unique JS‑sniffers for each infection, such as CoffeMokko. Each JS‑sniffer in this family is used only once to infect a single website.

The G-Analytics JS‑sniffers family is distinctive in that it not only injects malicious code into website’s HTML code but also the server-side PHP scripts that handle payments on e-commerce websites. This technique makes it significantly more difficult for analysts to detect the malicious code. JS‑sniffers such as ImageID and G-Analytics are able to imitate legitimate services such as Google Analytics and jQuery and disguise their malicious activity with legitimate scripts and domain names that are similar to legitimate ones.

Attacks involving JS‑sniffers can have several stages. When analysing the code of one of the infected online stores, Group-IB’s specialists discovered that the cybercriminals had not limited themselves to simply injecting the JS‑sniffer, but created a fake payment form that was loaded from a different compromised website. The form gave users two payment options: by credit card or PayPal. If the user chose to pay via PayPal, the fake form would show an error message saying that this payment method was currently unavailable, and the only way to pay was using a credit card.

 

Customers and buyers: how the JS‑sniffer market works

The development of the JS‑sniffer market has led to relationships between its players becoming increasingly complicated. JS‑Sniffer can be used by not only the cybercriminal group that developed it, but also by other groups that have bought or rented the JS‑sniffer as-a-service. In some cases, it is difficult to determine just how many cybercriminal groups are using a given JS‑sniffer, which is why Group-IB experts call them families, not groups.

JS‑sniffers’ cost ranges from $250 to $5,000 on underground forums. Some services offer partnerships: the customer provides access to the compromised online store and receives a share of the profits, while the JS‑sniffer developer is responsible for providing hosting servers, tech support, and an administrative panel for the customer. Such «market relationships» between developers, sellers, intermediaries and buyers on the underground market make it difficult to attribute the crime committed to a particular group. Nevertheless, the indicators collected by Group-IB linked to the activities of each of the 38 JS‑sniffer families help solve this problem. Moreover, Group-IB’s report contains detailed recommendations for all parties that may fall victim to JS‑sniffers: shoppers, banks, online stores, and payment systems. The research continues. Descriptions of analysed JS‑sniffers and new information about them are regularly uploaded to Group-IB’s Threat Intelligence system.