[Honeypot Alert] Inside the Attacker's Toolbox: Botnet Credit Card Validation Scripts

In our previous blog post "Inside the Attacker's Toolbox: Botnet Web Attack Scripts" we analyzed some botnet scripts that SpiderLabs Research team had captured that are used to conduct massive attack scanning traffic. In this installment, we will take a look at a php script that is used by Botnet owners to validate credit card data that has been illegally obtained.

Targeting Visa, Mastercard and American Express Credit Cards

Here is a snippet of code the shows the functions for checking Visa, Mastercard and American Express credit cards:

Screen shot 2012-05-31 at 10.47.57 AM

Initiating CC Validation

Here is a snippet of code that shows the IRC botnet command (!CHK) used to check various CC dta including the number itself, expiration code and CVV data:

Screen shot 2012-05-31 at 10.51.41 AM

CC Validation Checks

The botnet CC validation functions will pass the data to the botnet clients and instruct them to make HTTP requests to a hacker owned web interface (called /mirc/check.php?cc=) on the 208.98.22.236 host below:

Screen shot 2012-05-31 at 10.59.23 AM

The URL is not currently active and returns 404 errors. Since we could not interact with this resource, it is assumed based on the program work flow, that the check.php file takes the CC data and will execute some type of micropayment transaction to validate the data.

CC Validation Return Codes

Based on the "ssl_avs_response" code within the script, it appears that the scripts are utilizing VirtualMerchant API code. The responses from these API calls are then parsed and validation errors are presented to the attacker:

Screen shot 2012-05-31 at 11.09.23 AM

And another section of validation errors:

Screen shot 2012-05-31 at 11.16.06 AM

Based on the results of these CC validation calls, the attacker will then know if they have legitimate CC information which they can then turn around a sell it on the black-market.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.