Cybersecurity researchers have discovered a malicious library of Python Package Index (PYPI) repository designed to steal sensitive information.
According to ReverSingLabs, two packages, Bitcoinlibdbfix and Bitcoinlib-dev, are fixing a recent fix that was detected in a legal Python module called Bitcoinlib. The third package discovered in Socket, Disgrasya, contained a fully automated card script targeting the WooCommerce store.
According to statistics from Pepy.tech, the package attracted hundreds of downloads before attracting them.
“Both malicious libraries attempt similar attacks, overwriting legal CLW CLI commands with malicious code that attempts to filter out sensitive database files,” ReverSingLabs said.
With an interesting twist, the author of the forged library was said to have been involved in the discussion of GitHub issues, and tried to trick unsuspecting users into downloading the conditioned fix and running the library.
Meanwhile, Disgrasya has been found to be openly malicious and has made no effort to hide its carding and credit card information stealing capabilities.
“The malicious payload was introduced in version 7.36.9, and all subsequent versions had the same built-in attack logic,” the Socket Research team said.
Carding, also known as credit card stuffing, refers to automated payment scams in which a scammer tests a bulk list of stolen credit or debit card information against a merchant’s payment processing system to see details of a breached or stolen card. This falls into a broader category of attacks called automatic trading abuse.
A typical source of stolen credit card data is a carding forum where details of stolen credit card from victims are sold to other threat actors using various methods such as phishing, skimming, and steeler malware, are advertised to sell further criminal activity.
Once they are found to be active (i.e. not a report of lost, stolen or invalidated), the scammers use them to purchase gift or prepaid cards. Threat actors are also known to test whether a card is valid by attempting small transactions on e-commerce sites to prevent flagging due to fraud by cardholders.
The Rogue package identified in the Socket is designed to validate stolen credit card information. In particular, I’m targeting Merchants as a payment gateway using Cybersource using WooCommerce.
This script accomplishes this by emulating the action of a legitimate shopping activity, programmatically find the product, add it to your cart, go to the WooCommerce checkout page, and filling out the payment form with randomized invoice details and stolen credit card data.
When mimicking the actual checkout process, it is to test the validity of the looted card and exclude related details such as credit card numbers, expiration dates, CVVs, etc., to external servers under attacker control (“Railgunmisaka[.]com “) Without attracting the attention of fraud detection systems.
“The name can raise an eyebrow at native speakers (“Disgrasya” is Filipino slang for “disaster” or “accident”). This is a proper characterization of a package that runs a multi-step process.
“By embedding this logic into a Python package published on Pypi and downloaded more than 34,000 times, attackers have created a modular tool that can be easily used in a larger automation framework, making Disgrasya a powerful carding utility disguised as a harmless library.”
Source link
