HQ/EMEAFind out how we can help your business
Researchers discovered a new sniffer-as-a-service model called R3NIN that recently emerged in the cybercriminal landscape to target e-commerce consumers. The recent Magecart operations became successful, resulting in numerous threat actors developing and advertising new sniffers to aid others with cyberattacks.
The sniffer’s attack process starts when its operator injects a self-contained compromised script directly into a payment page of an already infected merchant website. Subsequently, the sniffer malware harvests the input variable, transforms them into a string, and sends them to the sniffer panel established by the attacker for analysis and exploitation.
Moreover, the attacker exploits iFrame by deceiving a target into entering additional information requested by a fake pop-up window. This process is commonly not required on legitimate pages.
Next, the threat actors process the stolen data in a commercialised format to sell or use as phishing bait in new cybercriminal operations.
R3NIN includes standard sniffer functions that it could provide to its operators.
The sniffer panel within R3NIN has a generator that includes a malicious conditional script and an extractor that divides all the raw data and displays it in a clear format. Moreover, the hackers could utilise the toolkit with the object execution and RCE methods.
Furthermore, this new tool includes options to generate custom JavaScript codes for injection, manage exfiltrated data, check BINs, cross-browser exfiltration of compromised payment card data, and generate statistics.
According to investigations, the hackers used the handle R3NIN to advertise this toolkit and panel on a Russian cybercriminal forum. R3NIN had an initial price of $1,500 during its first release, but it has increased since it became a wildly used sniffer. Currently, the price for R3NIN has reached $3,000 to $4,500.
The R3NIN developers have launched two variants (version 1[.]1 and version 1[.]2) that include several upgrades and new functionalities.
The improvements and surge of customised sniffers have allowed the threat actors to thwart standard security measures and alerts. E-commerce merchants should conduct regular and thorough audits of their payment pages and servers that communicate with payment gateways to mitigate the effects of sniffer campaigns.
