Friday, June 14, 2024

R3NIN Sniffer Malware Stealing Credit Card Data from E-commerce Consumers

Credit card sniffers or online skimmers are a type of harmful software that cybercriminals often create using the JavaScript programming language. 

Threat actors primarily use this to steal payment card data and PII from unsuspecting individuals while they transact on hacked e-commerce or merchant sites.

Recently, the cybersecurity analyst at Cybel discovered the R3NIN sniffer which has been described as an evolving threat to E-commerce consumers.

Sniffer’s Working Sequence

In the event of a website being hacked, attackers may implant an encoded malicious script into the web server, designed to activate when a target user accesses the corrupted web page.

Upon execution, the aforementioned script carries out the task of collecting the input variables from the victim and then converting them into a string. This compiled string is then dispatched to a sniffer panel maintained by the attacker for further analysis and exploitation.

The attacker may also leverage iFrame as part of their strategy, by presenting the target user with a phony pop-up window that requests additional data not typically required on a genuine web page. 

This trick is employed to dupe the victim into divulging more sensitive information, which is subsequently collected and exploited by the attacker. The victim’s information is then processed in a commercialized format once it has been successfully exfiltrated from a compromised website.

Sniffer Malware

Cybercriminals seeking to perpetrate credit card fraud may find the R3NIN Sniffer toolkit and panel quite useful. 

This tool is readily available and can be obtained from a well-known Russian-language cybercrime forum, with the vendor being the same threat actor who operates under the alias “r3nin”. 

Here below we have mentioned the notable features of this sniffer:-

  • Custom JavaScript codes can be generated for injection
  • Cross-browser exfiltration of compromised payment card data
  • Manage exfiltrated data
  • Check BINs
  • Parse data
  • Generate statistics

Initially, the sniffer toolkit was made available for a limited time at an introductory rate of USD 1,500. However, the pricing model for this toolkit has since been revised, and interested parties may now expect to pay between USD 3,000 and USD 4,500 for access to this tool.

The developer of this sniffer has launched two versions with several improvements and new functionalities:-

  • 1.1 version is introduced on January 13, 2023.
  • 1.2 version is introduced on January 15, 2023.

On the advertisement thread for the R3NIN Sniffer Panel, the threat actor/developer responsible for creating the tool uploaded a video demonstrating the panel’s capabilities:-

Types of Data Extracted

Here below we have mentioned the types of data that are extracted:-

  • Expiry Date
  • Name
  • Address
  • City
  • State
  • Pin code
  • Country
  • Email
  • Phone
  • Site

Object and Remote Execution   

To carry out their illicit scheme, cybercriminals implant a self-contained, malicious script directly into a payment merchant site that has been successfully compromised. 

This script will remain on the site, ready to activate and execute the moment an unsuspecting user visits the website. Once the compromised payment page is accessed, the malicious script embedded within it begins its work. 

Its primary objective is to extract and intercept all data inputs entered by the victim on the page. The script will then proceed to transmit this information to the pre-configured sniffer panel.

When a victim accesses a compromised merchant website, a conditional script created by the sniffer panel is triggered. This script is designed to activate and call forth the obfuscated malicious script, which is stored on a remote server.

As part of its operations, the malicious script is temporarily added to the victim’s session on the compromised merchant website. Once embedded, it is activated to monitor and intercept all data inputs made by the victim on the website. 

This gathered data is then relayed back to the sniffer panel for further processing and exploitation. The remote servers used in this scheme have been configured to display a blank, white screen when accessed. 

However, if accessed by an external source, the server will automatically redirect to a different, previously configured web page. While this blank page feature has been dubbed “white screen display” by its developer.

To help prevent unauthorized access and compromise of the payment systems, e-commerce merchants are strongly encouraged to conduct regular and thorough audits of both their payment pages and servers that communicate with payment gateways.

Network Security Checklist – Download Free E-Book


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles