JavaScript sniffers could steal credit card data

Group-IB, which specialises in preventing cyberattacks, has shared its annual Hi-Tech Crime Trends 2019-2020 report in Singapore. The company is a Singapore-based provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations.

Source: Group-IB website.

Group-IB researchers analysed underground cardshops selling compromised card data and identified several key trends related to attacks on banking customers. Complex banking Trojans have given way to a new threat – JavaScript sniffers, which have greatly contributed to the fact that in 2019, carding - the theft of bank card details - became the fastest-growing segment among threats to banking customers.

Group-IB’s report covers 2H18 to 1H19 and compares it to the same period a year ago, or 2H17 and 1H18 respectively. By leveraging its own infrastructure for monitoring of underground forums and cardshops, Group-IB has found that the number of compromised cards uploaded to underground forums increased from 27.1 million to 43.8 million. The size of the market, in turn, grew by 33% and amounted to US$879.7 million. The average price for raw card data (card number, expiration date, cardholder name, card verification value or CVV) rose from US$9 to US$14, while the average price for a dump (the information contained in the magnetic stripe) fell from US$33 to US$22.

Prices for raw compromised-card data of Asia Pacific (APAC) customers were relatively high. Raw card data cost US$17-20 per card and dumps – US$80-124, reflecting their relative rarity in underground forums.

Dumps still account for 80% of the carding market, with at least 31.2 million dumps having been put up for sale in the period studied, which is a 46%, growth year-on-year. The main method of compromising magnetic stripe card data (dumps) was infecting computers connected to point of sale (POS) terminals with Trojans that collect payment card data from RAM (random access memory). Over the given period, four new POS Trojans were identified. These had been actively used in attacks but remained unnoticed.

The sale of raw card data is also on rise today, having increased by 19% in the corresponding period, one of the key reasons behind this trend could be JavaScript-sniffers (JS-sniffers), which is a type of malware designed to steal customer payment data from online stores: payment card numbers, cardholder names, addresses, user credentials etc. The compromised payment card data is either sold on underground cardshops or used by cybercriminals to purchase items. In 2019 alone, Group-IB experts identified at least 38 different families of JS-sniffers, with this number continuously growing and already exceeding the number of banking Trojans for PC and Android.

JS-sniffers represent a threat to countries where the 3D Secure protocol is not widely implemented. Most JS-sniffer families are designed to steal information from the payment forms on websites running specific content management systems, however there are also universal ones – they can steal information from payment forms and do not require modifications tailored to specific websites.

MagentoName and CoffeMokko families of JS-sniffers, both of which were involved in massive infection campaigns, are thought to be the most aggressive, with over 440,000 people visiting the websites infected with these JS sniffers every day. The JS-sniffer family that comes third in this ranking is WebRank, which infected websites that together attracted 250,000 visitors. The analysis of attacks on APAC online shoppers indicates that there are at least 11 families of JS-sniffers that are used to infect websites in the region: MagentoName, Inter, addtoev Group, Qoogle, Illum, CoffeMokko, EUTag, WebRank, ImageID, TokenLogin and OnlineStatus.

Using its own tools for underground forums and cardshop-monitoring, Group-IB discovered that the biggest leaks of bank card data are related to the compromise of US retailers. The US is leader in terms of the number of compromised bank cards, accounting for 93% of the total. Kuwait, Pakistan, the UAE and Qatar make up a no. 2 cluster after the US. Taking into account the growing popularity of the new way to obtain raw card data, Group-IB experts assume that e-commerce websites of both developed and developing countries should be aware of this threat and take measures to neutralise the possibility of becoming a victim of JS-sniffers.

Group-IB experts recommend that users should have a separate prepaid card for online payments or even a separate bank account exclusively for online purchases. The admins of e-commerce websites in turn need to keep their software updated, carry out regular cybersecurity assessments of their websites and not hesitate to seek assistance from cybersecurity specialists whenever needed, Group-IB said.