Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
In our previous blog post "Inside the Attacker's Toolbox: Botnet Web Attack Scripts" we analyzed some botnet scripts that SpiderLabs Research team had captured that are used to conduct massive attack scanning traffic. In this installment, we will take a look at a php script that is used by Botnet owners to validate credit card data that has been illegally obtained.
Here is a snippet of code the shows the functions for checking Visa, Mastercard and American Express credit cards:
Here is a snippet of code that shows the IRC botnet command (!CHK) used to check various CC dta including the number itself, expiration code and CVV data:
The botnet CC validation functions will pass the data to the botnet clients and instruct them to make HTTP requests to a hacker owned web interface (called /mirc/check.php?cc=) on the 208.98.22.236 host below:
The URL is not currently active and returns 404 errors. Since we could not interact with this resource, it is assumed based on the program work flow, that the check.php file takes the CC data and will execute some type of micropayment transaction to validate the data.
Based on the "ssl_avs_response" code within the script, it appears that the scripts are utilizing VirtualMerchant API code. The responses from these API calls are then parsed and validation errors are presented to the attacker:
And another section of validation errors:
Based on the results of these CC validation calls, the attacker will then know if they have legitimate CC information which they can then turn around a sell it on the black-market.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.