1. JS Sniffer: E-commerce Data Theft Made Easy

    In late 2017, Volexity began tracking a new e-commerce financial data theft framework named JS Sniffer. The framework gives attackers a quick and efficient way to steal data from compromised e-commerce websites. JS Sniffer is optimized to steal data from compromised websites running the Magento e-commerce platform. However, Volexity has observed the framework on e-commerce websites leveraging OpenCart,, Shopify, WordPress, and others as well. Volexity initially identified the framework following a highly targeted attack campaign against a website that facilitates online ticket sales for numerous events and venues. One of the websites affected by this breach was an online retailer selling tickets for New Year’s Eve events in a large metropolitan area. The website’s checkout page was modified to house malicious code designed to steal information entered, such as name, address, credit card data, and even login credentials. This was done through the use of embedded JavaScript, collecting user […]

  2. APT Group Wekby Leveraging Adobe Flash Exploit (CVE-2015-5119)

    As if the recent breach and subsequent public data dump involving the Italian company Hacking Team wasn’t bad enough, it all gets just a little bit worse. Emerging from the bowels of Hacking Team data dump was a Flash 0-day exploit (CVE-2015-5119) that was just patched today by Adobe as covered in APSB15-16. The exploit has since been added into the Angler Exploit Kit and integrated into Metasploit. However, not to be out done, APT attackers have also started leveraging the exploit in targeted spear phishing attacks as well. Before we start dishing the details, there is going to be one main takeaway from this blog post: If you haven’t already, update/patch your Adobe Flash now. Spear Phishing This morning, a well known APT threat group, often referred to as Wekby, kicked off a rather ironic spear phishing campaign. The attackers launched spoofed e-mail messages purporting to be from Adobe. […]

  3. Afghan Government Compromise: Browser Beware

    Visiting a wide-ranging number of websites associated with the Government of Afghanistan may yield visitors an unwanted surprise. For the second time this year, malicious code has surfaced on,, a host that serves as a content delivery network (CDN) for the Afghan government. Javascript code from this system is found on several different Afghan Offices, Ministries, and Authorities. This strategic web compromise (SWC) against the Afghan CDN server has effectively turned a large portion of the government’s websites into attack surfaces against visitors. Volexity recently detected malicious code being loaded after a user visited the websites for the President of Afghanistan ( Second Round of Attacks In a previous attack highlighted earlier in the year by ThreatConnect. One of the two primary Javascript files accessed from the CDN system was modified to load code from two different malicious URLs. In the past attacks, the following file was modified to […]

  4. CVE-2014-6271 – Remotely Exploitable Vulnerability in Bash

    With the excitement of public details of a remotely exploitable vulnerability in bash (CVE-2014-6271) coming to light today, we decided it was as good of time as any to finally launch Volexity’s blog. We have a lot of exciting announcements and posts coming, but for now we turn our attention to bash. Today’s announcement and release of related patches may ultimately unleash something that rivals HeartBleed. While that still remains to be seen, the time for action from system administrators is now. Are You Vulnerable? If you haven’t patched today, then the answer is most likely yes. However, double checking if this is the case is rather simple. If you want to find out if your version of bash isĀ  vulnerable to exploitation, you can use a script that Redhat posted earlier today and quickly check. $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test” […]