毒苹果行动：追踪信用卡信息窃取至支付欺诈.pdf

1、#BHASIA BlackHatEventsOperation PoisonedApple:Tracing Credit Card Information Theft to Payment FraudGyuyeon Kim&Hyunho Cho Financial Security Institute#BHASIA BlackHatEventsWho are we?Senior researcher at Financial Security Institute Focusing on incident response in Korean financial companies,digita

2、l forensics and cyber threat intelligenceGyuyeon KimHyunho Cho Principle researcher at Financial Security Institute Focusing on investigation of security incidents,digital forensics,penetration tests and vulnerabilities analysis#BHASIA BlackHatEventsAgenda01.Introduction 02.Operation PoisonedApple 0

3、3.Attribution 04.Conclusion IntroductionDiscovery of the operation#BHASIA BlackHatEventsDiscoverySeptember 2022online store ACard PINExpire dateCredit card numberCVC numberResident ID numbercheck outcancelPayment methodselect payment methodgeneral paymentAmountNovember 2022online store Bgeneral paym

4、entselect payment methodCard PINExpire dateCredit card numberCVC numberResident ID numberPayment methodAmountcheck outcancel#BHASIA BlackHatEventsInitial Analysis of phishing payment pagesHTTP/1.1 200 OK Date:Tue,29 Nov 2022 05:25:33 GMT Server:Apache X-Powered-By:PHP Cache-Control:no-store Connecti

5、on:close Content-Type:text/html 0000,t1yoaefNR+59FTMNxfxfuAcHyKIPdQ/iE35VBPEo1cQ=,/shop/skin_ori/campingyo/order/card/KCP/mobileGW.php?url=https:/rsmpay.kcp.co.kr/pay/mobileGW.kcpHTTP/1.1 200 OK Date:Tue,29 Nov 2022 05:12:07 GMT Server:Apache X-Powered-By:PHP/5.2.17 Cache-Control:no-store Content-Le

6、ngth:156 Connection:close Content-Type:text/html 0000,7gYCff9LSlSkgfSvIxjFNQcHyKIPdQ/iE35VBPEo1cQ=,https:/rsmpay.kcp.co.kr/pay/mobileGW.kcpResponse from legitimate siteResponse from compromised site Returns the phishing payment pages URIphishing payment pages URIPOST http:/xxxxxxxxxxxxxxxxx/shop/con