R3NIN Sniffer Malware Stealing Credit Card Data

Credit card sniffer or online skimmer is a type of malicious software that is often created by cybercriminals using the JavaScript programming language.

Threat actors primarily use this to steal payment card and PII data from unsuspecting individuals when they transact on hacked e-commerce sites or merchants.

Recently, cybersecurity analysts at Cybel discovered the tracker R3NIN described as a growing threat to Ecommerce consumers.

Sniffer Work Order

If a website is hacked, an attacker can embed malicious encrypted scripts into the web server, which are designed to be activated when the target user accesses the corrupted web page.

Once executed, the script performs the task of collecting input variables from the victim and then converting them to strings. This compiled string is then sent to a sniffer panel managed by the attacker for further analysis and exploitation.

Attackers can also take advantage of iFrames as part of their strategy, by showing fake pop-up windows to the target user requesting additional data that is not normally needed on a real web page.

This trick is used to trick victims into divulging more sensitive information, which attackers then collect and exploit. The victim’s information is then processed in a commercialized format once successfully retrieved from the compromised website.

Handkerchief Malware

Cybercriminals looking to commit credit card fraud may find the R3NIN Sniffer tools and panels quite useful.

This tool is readily available and can be obtained from well-known Russian-language cybercrime forums, where the vendor is the same threat actor operating under the pseudonym “r3nin”.

Below we have mentioned the important features of this sniffer:-

• Custom JavaScript code can be generated for injection
• Cross-browser exfiltration of compromised payment card data
• Manage extracted data
• Check BINs
• Parsing data
• Generate statistics

Initially, the sniffer toolkit is available for a limited time for an introductory price of USD 1,500. However, the pricing model for these devices has been revised, and interested parties can now expect to pay between USD 3,000 and USD 4,500 for access to these devices.

The developer of this sniffer has released two versions with some improvements and new functions:-

• Version 1.1 was introduced on January 13, 2023.
• Version 1.2 was introduced on January 15, 2023.

In the ad thread for R3NIN Sniffer Panel, the threat actor/developers responsible for creating the tool uploaded a video demonstrating the capabilities of the panel:-

Extracted Data Type

Here below we have mentioned the type of data being extracted:-

• Expired date
• Name
• Address
• City
• Country
• PIN code
• Country
• Email
• Telephone
• Location

Object and Remote Execution

To carry out their illicit schemes, cybercriminals embed malicious self-scripts directly into payment merchant sites that have been successfully compromised.

These scripts will remain on the site, ready to be up and running the next time an unsuspecting user visits the website. Once the compromised payment page is accessed, the malicious script embedded in it starts working.

Its main purpose is to extract and intercept all input data entered by the victim on the page. The script will then proceed to send this information to the pre-configured sniffer panel.

When a victim accesses a compromised merchant’s website, a conditional script generated by the sniffer panel is triggered. These scripts are designed to activate and call malicious, disguised scripts stored on remote servers.

As part of its operation, the malicious script is temporarily added to the victim’s session on the compromised merchant’s website. Once embedded, it is enabled to monitor and intercept all data input made by victims on websites.

The collected data is then forwarded back to the sniffer panel for further processing and exploitation. The remote server used in this scheme has been configured to show a blank white screen when accessed.

However, if it is accessed by an external source, the server will automatically redirect to another pre-configured web page. While this blank page feature is dubbed “white screen display” by its developers.

To help prevent unauthorized access and intrusion of payment systems, e-commerce merchants are strongly encouraged to conduct regular and thorough audits of their payment pages and servers that communicate with the payment gateway.

Network Security Checklist – Free E-Book Download