• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025

 | 

Allianz Life data breach exposed the data of most of its 1.4M customers

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 55

 | 

Security Affairs newsletter Round 534 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • Group-IB report: JS-sniffers infected 2440 websites around the world

Group-IB report: JS-sniffers infected 2440 websites around the world

Pierluigi Paganini April 03, 2019

Crime without punishment: Group-IB issues a new report on JS-sniffers that infected 2440 websites around the world

Group-IB, an international company that specializes in preventing cyberattacks, has issued a new comprehensive report on the analysis of JavaScript-sniffers – a type of malware designed to steal customer payment data from online stores. 2440 infected ecommerce websites with a total of around 1.5 million unique daily visitors whose data could have been compromised, were analyzed by Group-IB researchers.  Group-IB’s report features an in-depth analysis of JS-sniffers’ darknet market, their entire infrastructure and the monetization methods, which bring their developers millions of dollars.

New threats for E-commerce market

The e-commerce market is booming. A rare person does not buy online now. According to a Pew Research Center survey of U.S. adults, eight-in-ten Americans are online shoppers. However the convenience of online shopping has its downsides: users who use payment cards for online shopping face countless cyber threats, including JavaScript-sniffers.

Prior to the publication of Group-IB’s report “Crime without punishment: In-depth analysis of JS-sniffers” the researchers at RiskIQ and Flashpoint were the first to publish a joint report on the activities of cybercriminals using JS-sniffers. They gave the umbrella term MageCart to 12 cybercriminal groups. Group-IB experts studied the discovered JS-sniffers and, using their own analytical systems, were able to discover their entire infrastructure and gain access to their source codes, administrative panels, and cybercriminals’ tools. This approach helped identify 38 unique JS-sniffers’ families, 15 of which are presented in detail in the report, available for Group-IB Threat Intelligence customers.  At least 8 of them were discovered and described for the very first time.

The threat posed by JS-sniffers was long under the radar of malware analysts, who deemed it insignificant and unworthy of an in-depth research. However, several incidents have shown the opposite to be true, including: 380,000 victims of a JS-sniffer that infected the British Airways website and mobile app, the compromise of Ticketmaster users’ payment data, and the recent incident involving the UK website of the international sporting goods giant Fila, which could have led to the theft of payment details of at least 5,600 customers. “When a website is infected, everyone is a victim – end users, payment systems, banks, and companies that sell their goods and services online,” says Dmitry Volkov, CTO and Head of Threat Intelligence at Group-IB. “The fact that there is still little known about incidents involving JS-sniffers and the damages they cause indicates that this problem is understudied, which allows groups developing sniffers to steal money from online shoppers act with impunity and get away with it.”

JavaScript-sniffers: a “hidden threat” you don’t want to know about

A JS-sniffer is the online equivalent of a credit card skimmer. However, while a skimmer is a small device installed on ATMs that intercepts bank card details, a JS-sniffer is a few lines of code that cybercriminals inject into websites to capture data entered by users, such as payment card numbers, names, addresses, passwords, etc. In general, hackers sell the obtained payment data to carders on darknet forums. The price for a stolen card ranges from around $1 to $5, occasionally from $10 to $15. A significant number of underground forums where JS-sniffers are put up for sale or rent are Russian-speaking.

Approximate estimates suggest that the profits made by JS-sniffer developers may amount to hundreds of thousands of dollars per month. For instance, websites infected by the WebRank family of JS-sniffers attract around 250,000 visitors every day. If the conversion on these websites was only 1%, this would mean that 2,500 shoppers carry out transactions every single day. This in turn means that, at the minimum price range charged for stolen cards, WebRank developers can make between $2,500 and $12,500 for a JS-sniffer’s one day of “work”, which amounts to $75,000 to $375,000 per month. Not to mention that WebRank is only third in the “ranking” of mass infections. Websites infected by MagentoName and CoffeMokko JS-sniffers attract more than 440,000 visitors per day.

How JS-sniffers attack

Group-IB’s analysis of 2,440 infected websites revealed that more than half or resources were attacked by MagentoName JS-sniffer family, whose operators exploit vulnerabilities of older versions of the Magento CMS (Content Management System) to inject malicious code into the codes of websites powered by this CMS. More than 13% of infections are carried out by WebRank JS-sniffers family, which attacks third-party sites to inject its malicious code into the targeted websites. More than 11% of infections are also carried out by JS-sniffers from the CoffeMokko family, whose operators use obfuscated scripts designed to steal information from payment forms of payment systems, whose field names are hardcoded into the JS-sniffer’s code. Such payment systems include PayPal, Verisign, Authorize.net, eWAY, Sage Pay, WorldPay, Stripe, USAePay, and others. Many JS-sniffer families use a unique options for each payment system, which requires modifying and testing the script before each infection.

Most identified JS-sniffers are set up to steal information from different types of payment forms of website management systems such as Magento, OpenCart, Shopify, WooCommerce, WordPress. Such JS-sniffer families include PreMage, MagentoName, FakeCDN, Qoogle, GetBilling, and PostEval. Other JS-Sniffers are universal and can be integrated into the code of any website, regardless of the systems used (G-Analytics, WebRank).

During its research, Group-IB discovered signs of “competition”: some JS-sniffer families could detect and eliminate JS-sniffers belonging to competitors that injected the victim’s website first (for example, MagentoName). Others use the “body” of the competitor’s JS-sniffer, “taking over” the data it intercepts and transferring it to its own gate (for example, WebRank). JS-sniffers can be modified to make it more difficult to detect them. For example, ImageID and ReactGet are able to bypass most detection systems because they are activated only when the buyer is completing their transaction on the website; the rest of the time, the JS-sniffer is “inactive” and doesn’t give itself away. Some families have a number of unique JS-sniffers for each infection, such as CoffeMokko. Each JS-sniffer in this family is used only once to infect a single website.

The G-Analytics JS-sniffers family is distinctive in that it not only injects malicious code into website’s HTML code but also the server-side PHP scripts that handle payments on e-commerce websites. This technique makes it significantly more difficult for analysts to detect the malicious code. JS-sniffers such as ImageID and G-Analytics are able to imitate legitimate services such as Google Analytics and jQuery and disguise their malicious activity with legitimate scripts and domain names that are similar to legitimate ones.

Attacks involving JS-sniffers can have several stages. When analysing the code of one of the infected online stores, Group-IB’s specialists discovered that the cybercriminals had not limited themselves to simply injecting the JS-sniffer, but created a fake payment form that was loaded from a different compromised website. The form gave users two payment options: by credit card or PayPal. If the user chose to pay via PayPal, the fake form would show an error message saying that this payment method was currently unavailable, and the only way to pay was using a credit card.

Customers and buyers: how the JS-sniffer market works

The development of the JS-sniffer market has led to relationships between its players becoming increasingly complicated. JS-Sniffer can be used by not only the cybercriminal group that developed it, but also by other groups that have bought or rented the JS-sniffer as-a-service. In some cases, it is difficult to determine just how many cybercriminal groups are using a given JS-sniffer, which is why Group-IB experts call them families, not groups.

JS-sniffers’ cost ranges from $250 to $5,000 on underground forums. Some services offer partnerships: the customer provides access to the compromised online store and receives a share of the profits, while the JS-sniffer developer is responsible for providing hosting servers, tech support, and an administrative panel for the customer. Such “market relationships” between developers, sellers, intermediaries and buyers on the underground market make it difficult to attribute the crime committed to a particular group. Nevertheless, the indicators collected by Group-IB linked to the activities of each of the 38 JS-sniffer families help solve this problem. Moreover, Group-IB’s report contains detailed recommendations for all parties that may fall victim to JS-sniffers: shoppers, banks, online stores, and payment systems. The research continues. Descriptions of analysed JS-sniffers and new information about them are regularly uploaded to Group-IB’s Threat Intelligence system.

About the author: Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection.

The report published by Group-IB is available here:

https://www.group-ib.com/resources/threat-research/js-sniffers.html

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – JS-sniffers, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybercrime Hacking JS-sniffers Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini July 29, 2025
Orange reports major cyberattack, warns of service disruptions
Read more
Pierluigi Paganini July 29, 2025
Hackers leak images and comments from women dating safety app Tea
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Orange reports major cyberattack, warns of service disruptions

    Security / July 29, 2025

    Hackers leak images and comments from women dating safety app Tea

    Data Breach / July 29, 2025

    Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

    Hacktivism / July 29, 2025

    Seychelles Commercial Bank Reported Cybersecurity Incident

    Data Breach / July 29, 2025

    Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

    Hacking / July 29, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT