R3NIN Sniffer Malware Stealing Credit Card Data from E-commerce Consumers

Credit card sniffers or online skimmers are a type of harmful software that cybercriminals often create using the JavaScript programming language. 

Threat actors primarily use this to steal payment card data and PII from unsuspecting individuals while they transact on hacked e-commerce or merchant sites.

Recently, the cybersecurity analyst at Cybel discovered the R3NIN sniffer which has been described as an evolving threat to E-commerce consumers.

Sniffer’s Working Sequence

In the event of a website being hacked, attackers may implant an encoded malicious script into the web server, designed to activate when a target user accesses the corrupted web page.

Upon execution, the aforementioned script carries out the task of collecting the input variables from the victim and then converting them into a string. This compiled string is then dispatched to a sniffer panel maintained by the attacker for further analysis and exploitation.

The attacker may also leverage iFrame as part of their strategy, by presenting the target user with a phony pop-up window that requests additional data not typically required on a genuine web page. 

This trick is employed to dupe the victim into divulging more sensitive information, which is subsequently collected and exploited by the attacker. The victim’s information is then processed in a commercialized format once it has been successfully exfiltrated from a compromised website.

Sniffer Malware

Cybercriminals seeking to perpetrate credit card fraud may find the R3NIN Sniffer toolkit and panel quite useful. 

This tool is readily available and can be obtained from a well-known Russian-language cybercrime forum, with the vendor being the same threat actor who operates under the alias “r3nin”. 

Here below we have mentioned the notable features of this sniffer:-

• Custom JavaScript codes can be generated for injection
• Cross-browser exfiltration of compromised payment card data
• Manage exfiltrated data
• Check BINs
• Parse data
• Generate statistics

Initially, the sniffer toolkit was made available for a limited time at an introductory rate of USD 1,500. However, the pricing model for this toolkit has since been revised, and interested parties may now expect to pay between USD 3,000 and USD 4,500 for access to this tool.

The developer of this sniffer has launched two versions with several improvements and new functionalities:-

• 1.1 version is introduced on January 13, 2023.
• 1.2 version is introduced on January 15, 2023.

On the advertisement thread for the R3NIN Sniffer Panel, the threat actor/developer responsible for creating the tool uploaded a video demonstrating the panel’s capabilities:-

Types of Data Extracted

Here below we have mentioned the types of data that are extracted:-

• Expiry Date
• Name
• Address
• City
• State
• Pin code
• Country
• Email
• Phone
• Site

Object and Remote Execution

To carry out their illicit scheme, cybercriminals implant a self-contained, malicious script directly into a payment merchant site that has been successfully compromised. 

This script will remain on the site, ready to activate and execute the moment an unsuspecting user visits the website. Once the compromised payment page is accessed, the malicious script embedded within it begins its work. 

Its primary objective is to extract and intercept all data inputs entered by the victim on the page. The script will then proceed to transmit this information to the pre-configured sniffer panel.

When a victim accesses a compromised merchant website, a conditional script created by the sniffer panel is triggered. This script is designed to activate and call forth the obfuscated malicious script, which is stored on a remote server.

As part of its operations, the malicious script is temporarily added to the victim’s session on the compromised merchant website. Once embedded, it is activated to monitor and intercept all data inputs made by the victim on the website. 

This gathered data is then relayed back to the sniffer panel for further processing and exploitation. The remote servers used in this scheme have been configured to display a blank, white screen when accessed. 

However, if accessed by an external source, the server will automatically redirect to a different, previously configured web page. While this blank page feature has been dubbed “white screen display” by its developer.

To help prevent unauthorized access and compromise of the payment systems, e-commerce merchants are strongly encouraged to conduct regular and thorough audits of both their payment pages and servers that communicate with payment gateways.

Network Security Checklist – Download Free E-Book