See Also: Tools and Tactics for Modern Crimeware
A Thriving Underground
For a number of years, JS-sniffer malware flew under the radar of security analysts and not much was done to study these types of attacks, Viktor Okorokov, a threat intelligence analyst at Group-IB, tells Information Security Media Group.
This gave cybercriminals the time to develop new tools and techniques to conduct successful schemes against many online shopping sites, Okorokov says. Over time, the underground market for this malware continued to grow.
"JS sniffers can now be used by not only the cybercriminal group that developed them, but also by other groups that have bought or rented the JS sniffer as a service," Okorokov says. "In some cases, it is difficult to determine just how many cybercriminal groups are using a given JS sniffer, which is why Group-IB experts call them families, not groups."
Most of these JS-sniffer attacks are associated with an umbrella organization dubbed Magecart, which comprises 12 cybercriminal "families" that have been extremely active over the last year.
Most recently, Magecart has been suspected in attacks against shoe manufacturer Fila as well as the bedding sites Mypillow.com and Amerisleep.com, according to an earlier analysis by Group-IB and RiskIQ
Other suspected victims of Magecart-style attacks include even larger e-commerce sites, including British Airways, Ticketmaster and Newegg.
How JS Sniffers Work
While there hasn't been much analysis of JS sniffers, this malware is efficient at capturing personal data, such as credit card numbers, which can then be sold on the dark web for prices ranging from $1 to as much as $15, according to the Group-IB analysis.
A JS sniffer works in much the same way as a credit card skimmer. But instead of physically attaching a device to an ATM, a JS sniffer uses a few lines of code injected onto an e-commerce site to skim data that consumers use to buy goods. The malware costs between $250 and $5,000 to buy on underground forums, the new analysis found.
The majority of the JS sniffers that Group-IB studied are set up to steal information from a number of different websites and content management systems, including Magento, OpenCart, Shopify, WooCommerce and WordPress.
Of the 2,440 websites that Group-IB studied, more than half were attacked by a JS sniffer called MagentoName, which takes advantage of vulnerabilities in older versions of the Magento content management system.
Various JS sniffers have their own unique features, Group-IB found.
For instance, the WebRank JS sniffers family, which is involved in about 13 percent of all the infections Group-IB detected, injects its malicious code into websites that are targeted. In contrast, CoffeMokko uses obfuscated scripts designed to steal information from the payment forms - the field names are hardcoded into malware - of payment systems, including PayPal, and Verisign, according to the analysis.
Other JS sniffers, such as ImageID and G-Analytics, imitate legitimate services, such as Google Analytics and jQuery, to help disguise malicious activity. They use realistic-looking scripts and domain names that resemble legitimate ones, the report found.
One reason for all this variety is that competition is thriving in the underground market among the various cybercriminal groups that use JS sniffers, Okorokov says.
"We [have] observed the signs of competition," Okorokov says. "Some JS sniffer families could detect and eliminate JS sniffers belonging to competitors that injected the victim's website first. Others use the 'body' of the competitor's JS sniffer, 'taking over' the data it intercepts and transferring it to its own gate. Some samples of JS sniffers are also capable of deleting rival malicious code from infected websites."
The reason for all this competition and backstabbing is the amount of money that can be made by using JS sniffers.
Group-IB cites the example of sites infected with the WebRank malware. These infected websites attract about 250,000 visitors each day. If only 1 percent of those shoppers fall victim to the JS skimmer, Group-IB estimates, this can generate $2,500 to $12,500 for one day of work.
One of the biggest concerns about JS sniffers is that not only are they difficult to detect, but even removing the code does not stop the attackers. It's an issue CISOs at e-commerce sites and banks need to tackle, Okorokov says.
"It is also wrong to believe that it is easy to remove a JS sniffer from the website," Okorokov says. "Moreover, the incident does not end once you remove a JS sniffer; it is required to carry out maintenance work to prevent further intrusions. During the research, Group-IB analysts saw a once-removed sniffer becoming active again."
The consumers who are the target of these attacks also need to be aware about these types of schemes, because they are difficult to detect. The best defense is to practice basic cyber-hygiene, Okorokov says.
"Online shoppers are advised to have a separate card for all online purchases and should not keep all savings on the bank account linked to this card," Okorokov says. "It is recommended to always check the legitimacy of the website before making any purchases. Pay attention to the URL in the browser, and ensure that the website uses a valid certificate to minimize the risks of being defrauded."