Tuesday, March 5, 2024

R3NIN Sniffer Malware Stealing Credit Card Data from E-commerce Consumers

Credit card sniffers or online skimmers are a type of harmful software that cybercriminals often create using the JavaScript programming language. 

Threat actors primarily use this to steal payment card data and PII from unsuspecting individuals while they transact on hacked e-commerce or merchant sites.

Recently, the cybersecurity analyst at Cybel discovered the R3NIN sniffer which has been described as an evolving threat to E-commerce consumers.

Sniffer’s Working Sequence

In the event of a website being hacked, attackers may implant an encoded malicious script into the web server, designed to activate when a target user accesses the corrupted web page.

Upon execution, the aforementioned script carries out the task of collecting the input variables from the victim and then converting them into a string. This compiled string is then dispatched to a sniffer panel maintained by the attacker for further analysis and exploitation.

The attacker may also leverage iFrame as part of their strategy, by presenting the target user with a phony pop-up window that requests additional data not typically required on a genuine web page. 

This trick is employed to dupe the victim into divulging more sensitive information, which is subsequently collected and exploited by the attacker. The victim’s information is then processed in a commercialized format once it has been successfully exfiltrated from a compromised website.

Sniffer Malware

Cybercriminals seeking to perpetrate credit card fraud may find the R3NIN Sniffer toolkit and panel quite useful. 

This tool is readily available and can be obtained from a well-known Russian-language cybercrime forum, with the vendor being the same threat actor who operates under the alias “r3nin”. 

Here below we have mentioned the notable features of this sniffer:-

  • Custom JavaScript codes can be generated for injection
  • Cross-browser exfiltration of compromised payment card data
  • Manage exfiltrated data
  • Check BINs
  • Parse data
  • Generate statistics

Initially, the sniffer toolkit was made available for a limited time at an introductory rate of USD 1,500. However, the pricing model for this toolkit has since been revised, and interested parties may now expect to pay between USD 3,000 and USD 4,500 for access to this tool.

The developer of this sniffer has launched two versions with several improvements and new functionalities:-

  • 1.1 version is introduced on January 13, 2023.
  • 1.2 version is introduced on January 15, 2023.

On the advertisement thread for the R3NIN Sniffer Panel, the threat actor/developer responsible for creating the tool uploaded a video demonstrating the panel’s capabilities:-

Types of Data Extracted

Here below we have mentioned the types of data that are extracted:-

  • Expiry Date
  • Name
  • Address
  • City
  • State
  • Pin code
  • Country
  • Email
  • Phone
  • Site

Object and Remote Execution   

To carry out their illicit scheme, cybercriminals implant a self-contained, malicious script directly into a payment merchant site that has been successfully compromised. 

This script will remain on the site, ready to activate and execute the moment an unsuspecting user visits the website. Once the compromised payment page is accessed, the malicious script embedded within it begins its work. 

Its primary objective is to extract and intercept all data inputs entered by the victim on the page. The script will then proceed to transmit this information to the pre-configured sniffer panel.

When a victim accesses a compromised merchant website, a conditional script created by the sniffer panel is triggered. This script is designed to activate and call forth the obfuscated malicious script, which is stored on a remote server.

As part of its operations, the malicious script is temporarily added to the victim’s session on the compromised merchant website. Once embedded, it is activated to monitor and intercept all data inputs made by the victim on the website. 

This gathered data is then relayed back to the sniffer panel for further processing and exploitation. The remote servers used in this scheme have been configured to display a blank, white screen when accessed. 

However, if accessed by an external source, the server will automatically redirect to a different, previously configured web page. While this blank page feature has been dubbed “white screen display” by its developer.

To help prevent unauthorized access and compromise of the payment systems, e-commerce merchants are strongly encouraged to conduct regular and thorough audits of both their payment pages and servers that communicate with payment gateways.

Network Security Checklist – Download Free E-Book


Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles