Cybersecurity researchers have discovered malicious libraries in Python Package (PYPI) storage facilities designed for confidential information.
Two packages, Bitcoinlibdbfix and Bitcoinlib-Dev, masquerade as fixes for Recent problems discovered in the legal Python module called Bitcoinlib, according to Reversinglabs. The third package detected According to Socket, Sursya, contained a fully automated card -oriented script scenario.
The packages attracted hundreds of downloads before they were lifted, according to statistics from pepy.tech –
“The malicious libraries are trying to attack a similar attack by re -recording the CLI CLI legal team, which tries to highlight tangible database files,” said Reversinglabs.
In an interesting turn, the authors of the fake libraries are said to have joined the discussion of the GITHUB release and unsuccessfully tried to deceive anything uninhabited users in the loading and management of the library.
On the other hand, Sursya was openly angry without making efforts to hide your map and credit card features.
“The harmful useful load was introduced in the version 7.36.9, and all subsequent versions had the same built -in logic of the attack,” the research group on the socket said.
Cardalso called Credit card fillingrefers to the automated fraud form with the payment, in which the fraud checks the volume list of stolen credit or debit map with respect to the seller’s payment process for checking the violated or stolen card details. It falls into a wider category of attacks, called automated transaction abuse.
A typical source for stolen credit card data is Carding ForumWhere credit card data was recorded from the victims using different methods such as phishing, skins or theft of malware advertised for sale to other threatening subjects to further criminal activity.
Once they are active (ie, it was not reported, stolen and deactivated), scammers use them to buy gift cards or pre -paid cards, which are then reserved. The actors of the threat also, as we know, check whether the cards are acting, trying small transactions on e -commerce sites to avoid the cardholders are indicated for fraud.
The Rogue package, defined by Socket, designed to check the stolen credit card information, in particular, aimed at merchants using WooCommerce with Cybersource as a payment gateway.
The script reaches this by imitation of legal trading activity, software search for the product, adding it to the basket, moving to the WooCommerce page and filling the payment form with randomized details of accounts and stolen credit card data.
Their imitation of the real process of registration is to check the validity of the robbed cards and highlight the relevant parts such as credit card number, shelf life and CVV, on the external server under the control of the attacker (“Railgunmisaka.” Com “) without drawing attention to the fraud detection systems.
“Although the name can lift the eyebrows for carriers (” SurraSya “, the Filipin Slang for” disaster “or” crash “), this is apt characteristic of the package that performs a multi-stage process, imitating the legitimate journey of buyers through the online store, to check stolen credit cards against the real frames.”
“Having built this logic into a Python package published on Pypi and loaded more than 34,000 times, the attacker has created a modular tool that can be easily used in large automation, which made Surgasya a powerful map utilities disguised as a harmless library.”
