Asia-24-Kim-Operation-PoisonedApple.pdf

《Asia-24-Kim-Operation-PoisonedApple.pdf》由会员分享，可在线阅读，更多相关《Asia-24-Kim-Operation-PoisonedApple.pdf（51页珍藏版）》请在三个皮匠报告上搜索。

1、#BHASIA BlackHatEventsOperation PoisonedApple:Tracing Credit Card Information Theft to Payment FraudGyuyeon Kim&Hyunho Cho Financial Security Institute#BHASIA BlackHatEventsWho are we?Senior researcher at Financial Security Institute Focusing on incident response in Korean financial companies,digita

2、l forensics and cyber threat intelligenceGyuyeon KimHyunho Cho Principle researcher at Financial Security Institute Focusing on investigation of security incidents,digital forensics,penetration tests and vulnerabilities analysis#BHASIA BlackHatEventsAgenda01.Introduction 02.Operation PoisonedApple 0

3、3.Attribution 04.Conclusion IntroductionDiscovery of the operation#BHASIA BlackHatEventsDiscoverySeptember 2022online store ACard PINExpire dateCredit card numberCVC numberResident ID numbercheck outcancelPayment methodselect payment methodgeneral paymentAmountNovember 2022online store Bgeneral paym

4、entselect payment methodCard PINExpire dateCredit card numberCVC numberResident ID numberPayment methodAmountcheck outcancel#BHASIA BlackHatEventsInitial Analysis of phishing payment pagesHTTP/1.1 200 OK Date:Tue,29 Nov 2022 05:25:33 GMT Server:Apache X-Powered-By:PHP Cache-Control:no-store Connecti

5、on:close Content-Type:text/html 0000,t1yoaefNR+59FTMNxfxfuAcHyKIPdQ/iE35VBPEo1cQ=,/shop/skin_ori/campingyo/order/card/KCP/mobileGW.php?url=https:/rsmpay.kcp.co.kr/pay/mobileGW.kcpHTTP/1.1 200 OK Date:Tue,29 Nov 2022 05:12:07 GMT Server:Apache X-Powered-By:PHP/5.2.17 Cache-Control:no-store Content-Le

6、ngth:156 Connection:close Content-Type:text/html 0000,7gYCff9LSlSkgfSvIxjFNQcHyKIPdQ/iE35VBPEo1cQ=,https:/rsmpay.kcp.co.kr/pay/mobileGW.kcpResponse from legitimate siteResponse from compromised site Returns the phishing payment pages URIphishing payment pages URIPOST http:/shop.coleman.co.kr/shop/co