Friday, April 26, 2024

R3NIN Sniffer Malware Stealing Credit Card Data from E-commerce Consumers

By Guru baran

R3NIN Sniffer Malware

Credit card sniffers or online skimmers are a type of harmful software that cybercriminals often create using the JavaScript programming language. 

Threat actors primarily use this to steal payment card data and PII from unsuspecting individuals while they transact on hacked e-commerce or merchant sites.

Recently, the cybersecurity analyst at Cybel discovered the R3NIN sniffer which has been described as an evolving threat to E-commerce consumers.

Sniffer’s Working Sequence

In the event of a website being hacked, attackers may implant an encoded malicious script into the web server, designed to activate when a target user accesses the corrupted web page.

Upon execution, the aforementioned script carries out the task of collecting the input variables from the victim and then converting them into a string. This compiled string is then dispatched to a sniffer panel maintained by the attacker for further analysis and exploitation.

The attacker may also leverage iFrame as part of their strategy, by presenting the target user with a phony pop-up window that requests additional data not typically required on a genuine web page. 

This trick is employed to dupe the victim into divulging more sensitive information, which is subsequently collected and exploited by the attacker. The victim’s information is then processed in a commercialized format once it has been successfully exfiltrated from a compromised website.

Sniffer Malware

Cybercriminals seeking to perpetrate credit card fraud may find the R3NIN Sniffer toolkit and panel quite useful. 

This tool is readily available and can be obtained from a well-known Russian-language cybercrime forum, with the vendor being the same threat actor who operates under the alias “r3nin”. 

Here below we have mentioned the notable features of this sniffer:-

  • Custom JavaScript codes can be generated for injection
  • Cross-browser exfiltration of compromised payment card data
  • Manage exfiltrated data
  • Check BINs
  • Parse data
  • Generate statistics

Initially, the sniffer toolkit was made available for a limited time at an introductory rate of USD 1,500. However, the pricing model for this toolkit has since been revised, and interested parties may now expect to pay between USD 3,000 and USD 4,500 for access to this tool.

The developer of this sniffer has launched two versions with several improvements and new functionalities:-

  • 1.1 version is introduced on January 13, 2023.
  • 1.2 version is introduced on January 15, 2023.

On the advertisement thread for the R3NIN Sniffer Panel, the threat actor/developer responsible for creating the tool uploaded a video demonstrating the panel’s capabilities:-

Types of Data Extracted

Here below we have mentioned the types of data that are extracted:-

  • Expiry Date
  • Name
  • Address
  • City
  • State
  • Pin code
  • Country
  • Email
  • Phone
  • Site

Object and Remote Execution   

To carry out their illicit scheme, cybercriminals implant a self-contained, malicious script directly into a payment merchant site that has been successfully compromised. 

This script will remain on the site, ready to activate and execute the moment an unsuspecting user visits the website. Once the compromised payment page is accessed, the malicious script embedded within it begins its work. 

Its primary objective is to extract and intercept all data inputs entered by the victim on the page. The script will then proceed to transmit this information to the pre-configured sniffer panel.

When a victim accesses a compromised merchant website, a conditional script created by the sniffer panel is triggered. This script is designed to activate and call forth the obfuscated malicious script, which is stored on a remote server.

As part of its operations, the malicious script is temporarily added to the victim’s session on the compromised merchant website. Once embedded, it is activated to monitor and intercept all data inputs made by the victim on the website. 

This gathered data is then relayed back to the sniffer panel for further processing and exploitation. The remote servers used in this scheme have been configured to display a blank, white screen when accessed. 

However, if accessed by an external source, the server will automatically redirect to a different, previously configured web page. While this blank page feature has been dubbed “white screen display” by its developer.

To help prevent unauthorized access and compromise of the payment systems, e-commerce merchants are strongly encouraged to conduct regular and thorough audits of both their payment pages and servers that communicate with payment gateways.

Network Security Checklist – Download Free E-Book

Managed WAF Protection

Website

Latest articles

cyber security

Analyze Malicious Powershell Scripts by Running Malware in ANY.RUN Sandbox

Hackers exploit PowerShell, a built-in scripting tool on Windows (and sometimes Linux), to launch...
cyber security

Beware! Zero-click RCE Exploit for iMessage Circulating on Hacker Forums

A new cybersecurity threat has emerged as a zero-click remote code execution (RCE) exploit...
Cyber Attack

New DragonForce Ransomware Emerged From The Leaked LOCKBIT Builder

Hackers exploit LOCKBIT Builder due to its versatility in creating customized ransomware payloads which...
cyber security

JudgeO Online Code Editor Flaw Let Attackers Execute Code as Root User

A critical flaw has been identified in the popular online code editor, JudgeO.If...
Cyber Attack

Cyber Attack Defenders Up For Battle: Huge Uptick In Timely Detections

Attackers are employing evasion techniques to bypass detection and extend dwell time on compromised...
Cisco

Alert! Cisco Releases Critical Security Updates to Fix 2 ASA Firewall 0-Days

Cisco has released critical security updates to address multiple vulnerabilities in its Adaptive Security...
cyber security

Pakistani APT Hackers Attacking Indian Govt Entities With Weaponized Shortcut Files

Cybersecurity experts at Seqrite Labs have reported a surge in cyberattacks against Indian government...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

WAAP/WAF ROI Analysis

Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

    • Book Your Spot

Related Articles

Connect with GBHackers On Security

Join 70,000 Security Professionals

Stay safe online with free daily cybersecurity updates. Sign up now!

GBHackers on security is a highly informative and reliable Cyber Security News platform that provides the latest and most relevant updates on Cyber Security News, Hacking News, Technology advancements, and Kali Linux tutorials on a daily basis. The platform is dedicated to keeping the community well-informed and up-to-date with the constantly evolving Cyber World.

Menu

Contact US:

Email : [email protected]