GetBilling JS-sniffer

The GetBilling JS-sniffer is a family of Trojan sniffers, which modify online shoppers' purchasing experience for collecting their information. Its attacks originate, not from the victim's device or computer, but the website after a security breach through any of several exploits. Most attacks by these threats succeed against 'soft' security targets, and traditional security precautions and anti-malware tools for stopping or uninstalling a the GetBilling JS-sniffer will limit its impact.

Getting Browser Bills from Crooks

The area of JavaScript-based Trojan attacks that are inserting themselves into the Web-shopping experience is rife with apparent competition, so much so, that the formal name of MageCart refers to a dozen, distinct groups of criminals that are specializing in these campaigns. There is further room for growth, however, since threat actors are renting out the services of their Trojans to others who may distribute them at will. The GetBilling JS-sniffer is one of the more noticeable of these families of Trojan sniffers to date.

The GetBilling JS-sniffer family is one of a substantial series of Trojan sniffers that requires particular software in place on the website's infrastructure for a successful attack. CMSes like WordPress or Shopify are examples of some of the services that Trojan sniffers can subvert by specializing their payloads for these environments and, consequently, improving their stealth and success rates. The majority of infections occur after site administrators use short or default passwords for their login security, or avoid patching software that contains vulnerabilities such as buffer overflows.

When it attacks users of the site's payment system, the GetBilling JS-sniffer may either collect information passively or request more info. The second of these, generally, disguise themselves with the assistance of 'copycat' phishing domains that closely resemble the addresses of a regular site, such as PayPal or Amazon. Since malware analysts find few symptoms self-evident in these attacks particularly, customers are likely of giving away credit card credentials, etc., without being aware of it.

Cutting the Bill that's Coming from Nowhere Good

Server administrators are the first line of defense against the GetBilling JS-sniffer and competing families of Trojan sniffers, such as the CoffeMokko JS-sniffer, the FakeCDN JS-sniffer the G-Analytics JS-sniffer, and the especially-widespread MagentoName JS-sniffer. They should patch their Content Management Systems whenever security fixes are available, use passwords that can't be brute-forced too easily and abide by traditional practices like forbidding PHP execution in at-risk locations. Various cyber-security organizations, also, provide tools for scanning your site's code and detecting Trojan sniffer infections.

However, victims of the GetBilling JS-sniffer's attacks can implement precautions against its successfully collecting their data. Disabling Flash, JavaScript, and Java from your browser, except when they run from trusted, whitelisted domains, will limit a GetBilling JS-snifferTrojan's features. Typical anti-malware products should identify any sites that have affiliations with Trojan sniffers' campaigns and block them, although only the site's admin can remove the GetBilling JS-sniffer's scripts – preferably, with anti-malware security software.

The Web-based robbery of the GetBilling JS-sniffer is preventable entirely, as long as both sides of the equation maintain their due diligence. Hacked websites, generally, are doing something that invites remote attackers inside, while unprotected Web surfers virtually are asking for a Trojan sniffer or other, JavaScript-based problem's appearance.