How does malware that intercepts network traffic work, and what can you do to avoid becoming a victim?
Sniffer (from English to sniff - sniff) is software that analyzes incoming and outgoing traffic from a computer connected to the Internet. It keeps track of what sites you visit and what files you download and upload.
Any user of an online store who has paid for a product or service online can become a victim of hackers using a sniffer. On January 27, 2020, during Operation Night Fury, Indonesian police detained members of a criminal group who infected 200 websites with JavaScript sniffers, including online stores from Brazil, Australia, Great Britain, Germany, Indonesia, the USA and other countries of the world. Criminals stole bank card details from customers and used them to buy gadgets and luxury items.
The liquidation of this criminal group was only the first successful operation against JS sniffer operators in the Asia-Pacific region (APR). At the same time, raids took place in five other countries in the region. The caught criminals used the JS sniffer GetBilling. The international cybersecurity company Group-IB has been tracking it since 2018.
The popularity of sniffers among cybercriminals is growing. This is one of the most effective ways to hack a victim's device. “Over the past year, the use of JS sniffers to steal bank cards has become one of the main ways to obtain large volumes of payment information. Their growth was also influenced by the trend towards resale of access to various sites and organizations on the darknet,” Viktor Okorokov, leading analyst of the Group-IB analytics department, told RBC Trends.
In total, Group-IB specialists are currently monitoring 96 families of JS sniffers, which is 2.5 times more than in 2020. At that time, only 38 families were known.
What are sniffers needed for?
A sniffer is not always malicious. “Sniffer is a general name for hardware and software. They can be intended to balance traffic, or they can also be used by attackers. There are hardware and software sniffers,” Kaspersky Lab cybersecurity expert Dmitry Galov told RBC Trends.
There are four areas in which people use a sniffer with good intentions:
However, the sniffer can also be used by attackers to steal data. Sniffers analyze everything that passes through them, including unencrypted passwords and credentials. Therefore, hackers who have access to them can take over personal information of users.
In September 2018, it turned out that users of the British Airways website and mobile application were subject to a cyber attack. All clients of the international airline who booked air tickets on the website or app between August 25 and September 5, 2018 are at risk. The personal and financial data of 380 thousand people fell into the hands of attackers. A similar attack was organized against clients of the American online store Ticketmaster.
In order to serve the network, the sniffer provides:
The sniffer is illegally used for:
The most popular sniffer models:
How do sniffers work?
Hackers use sniffers to steal valuable data by monitoring network activity and collecting personal information about users. Most often, attackers are interested in user passwords and credentials. With this data, you can access online banking and online shopping accounts.
Most often, hackers install sniffers in places where unsecured Wi-Fi connections are distributed, for example, in cafes, hotels and airports. Sniffers can masquerade as a device connected to the Internet.
You can intercept traffic through a sniffer in the following ways:
How to prevent data leakage using a sniffer?
If the sniffer is installed on the device, then it already has access to its data. To prevent their leakage, Dmitry Galov from Kaspersky Lab recommends:
What to do if the sniffer is already installed on your computer
To detect a sniffer on a computer, you can install your own sniffer and examine all traffic at the DNS level on your network to detect any suspicious activity.
It is best to remove the sniffer using an antivirus. If you don't have a paid subscription, you can install a trial version. It will analyze the files on your computer, removing suspicious ones.
(с) https://trends.rbc.ru/trends/industry/60f6c2af9a7947fc32ae0a91
Sniffer (from English to sniff - sniff) is software that analyzes incoming and outgoing traffic from a computer connected to the Internet. It keeps track of what sites you visit and what files you download and upload.
Any user of an online store who has paid for a product or service online can become a victim of hackers using a sniffer. On January 27, 2020, during Operation Night Fury, Indonesian police detained members of a criminal group who infected 200 websites with JavaScript sniffers, including online stores from Brazil, Australia, Great Britain, Germany, Indonesia, the USA and other countries of the world. Criminals stole bank card details from customers and used them to buy gadgets and luxury items.
The liquidation of this criminal group was only the first successful operation against JS sniffer operators in the Asia-Pacific region (APR). At the same time, raids took place in five other countries in the region. The caught criminals used the JS sniffer GetBilling. The international cybersecurity company Group-IB has been tracking it since 2018.
The popularity of sniffers among cybercriminals is growing. This is one of the most effective ways to hack a victim's device. “Over the past year, the use of JS sniffers to steal bank cards has become one of the main ways to obtain large volumes of payment information. Their growth was also influenced by the trend towards resale of access to various sites and organizations on the darknet,” Viktor Okorokov, leading analyst of the Group-IB analytics department, told RBC Trends.
In total, Group-IB specialists are currently monitoring 96 families of JS sniffers, which is 2.5 times more than in 2020. At that time, only 38 families were known.
What are sniffers needed for?
A sniffer is not always malicious. “Sniffer is a general name for hardware and software. They can be intended to balance traffic, or they can also be used by attackers. There are hardware and software sniffers,” Kaspersky Lab cybersecurity expert Dmitry Galov told RBC Trends.
There are four areas in which people use a sniffer with good intentions:
- Network Engineers: To optimize a network, they must monitor traffic.
- System administrators: They need to monitor traffic to collect data on metrics like network throughput.
- Cybersecurity experts: They can notice suspicious activity on the Internet by monitoring it. Abnormal spikes or different types of traffic may indicate the presence of malware or hackers infiltrating the system.
- Corporations. Employers can use software to track their employees and find out how much time during the workday they spend on work and how much on play.
However, the sniffer can also be used by attackers to steal data. Sniffers analyze everything that passes through them, including unencrypted passwords and credentials. Therefore, hackers who have access to them can take over personal information of users.
In September 2018, it turned out that users of the British Airways website and mobile application were subject to a cyber attack. All clients of the international airline who booked air tickets on the website or app between August 25 and September 5, 2018 are at risk. The personal and financial data of 380 thousand people fell into the hands of attackers. A similar attack was organized against clients of the American online store Ticketmaster.
In order to serve the network, the sniffer provides:
- data packet capture;
- traffic recording and analysis;
- packet decryption;
- network troubleshooting;
- firewall testing;
- ensuring uninterrupted traffic flow.
The sniffer is illegally used for:
- collecting personal information such as usernames, passwords, credit card numbers, etc.;
- recording messages such as emails;
- falsification of personal data;
- stealing money.
The most popular sniffer models:
- WinSniffer - has many customizable modes and is capable of intercepting passwords for various services;
- CommView - processes data transmitted over the local network and the Internet, collects information related to the modem and network card, and decrypts it, which makes it possible to see a complete list of connections on the network and statistical information on IP;
- ZxSniffer is a compact sniffer, known for its small size (0.3 MB);
- SpyNet is a popular analyzer whose main functionality includes traffic interception and data packet decoding;
- IRIS - has extensive filtering capabilities and can intercept packets with specified restrictions.
How do sniffers work?
Hackers use sniffers to steal valuable data by monitoring network activity and collecting personal information about users. Most often, attackers are interested in user passwords and credentials. With this data, you can access online banking and online shopping accounts.
Most often, hackers install sniffers in places where unsecured Wi-Fi connections are distributed, for example, in cafes, hotels and airports. Sniffers can masquerade as a device connected to the Internet.
You can intercept traffic through a sniffer in the following ways:
- by listening in normal mode to the network interface;
- connecting to a channel gap and redirecting traffic;
- by analyzing spurious electromagnetic radiation;
- using an attack on the link and network levels, leading to changes in network routes.
How to prevent data leakage using a sniffer?
If the sniffer is installed on the device, then it already has access to its data. To prevent their leakage, Dmitry Galov from Kaspersky Lab recommends:
- Install security solutions that will detect suspicious activity in various ways.
- Use a VPN from a trusted provider. With it, traffic will be transmitted in encrypted form.
- Use only sites with https protocols. Only on them you can enter your data, in this case it is encrypted.
What to do if the sniffer is already installed on your computer
To detect a sniffer on a computer, you can install your own sniffer and examine all traffic at the DNS level on your network to detect any suspicious activity.
It is best to remove the sniffer using an antivirus. If you don't have a paid subscription, you can install a trial version. It will analyze the files on your computer, removing suspicious ones.
(с) https://trends.rbc.ru/trends/industry/60f6c2af9a7947fc32ae0a91
