Cybersecurity researchers have uncovered malicious libraries in the Python Package Index (PyPI) repository that are designed to steal sensitive information and test stolen credit card data.
Two of the packages, bitcoinlibdbfix and bitcoinlib-dev, masquerade as fixes for recent issues detected in a legitimate Python module called bitcoinlib, according to ReversingLabs. A third package discovered by Socket, disgrasya, contained a fully automated carding script targeting WooCommerce stores.
The packages attracted hundreds of downloads before being taken down, according to statistics from pepy.tech –
“The malicious libraries both attempt a similar attack, overwriting the legitimate ‘clw cli’ command with malicious code that attempts to exfiltrate sensitive database files,” ReversingLabs said.
In an interesting twist, the authors of the counterfeit libraries are said to have joined a GitHub issue discussion and unsuccessfully attempted to trick unsuspecting users into downloading the purported fix and running the library.
On the other hand, disgrasya has been found to be openly malicious, making no effort to conceal its carding and credit card information stealing functionality.
“The malicious payload was introduced in version 7.36.9, and all subsequent versions carried the same embedded attack logic,” the Socket Research Team said.
Carding, also called credit card stuffing, refers to an automated form of payment fraud in which fraudsters test a bulk list of stolen credit or debit card information against a merchant’s payment processing system to verify their validity. It falls under a broader attack category referred to as automated transaction abuse.
A typical source for stolen credit card data is a carding forum, where credit card details pilfered from victims using various methods like phishing, skimming, or stealer malware are advertised for sale to other threat actors to further criminal activity.
Once they are found to be active (i.e. not reported lost, stolen, or deactivated), scammers use them to buy gift cards or prepaid cards, which are then resold for profit. Threat actors are also known to test if the cards are valid by attempting small transactions on e-commerce sites to avoid being flagged for fraud by the card owners.
The rogue package identified by Socket is designed to validate stolen credit card information, particularly targeting merchants using WooCommerce with CyberSource as the payment gateway.
The script achieves this by emulating the actions of a legitimate shopping activity, programmatically finding a product, adding it to a cart, navigating to the WooCommerce checkout page, and filling the payment form with randomized billing details and the stolen credit card data.
In mimicking a real checkout process, the idea is to test the validity of the plundered cards and exfiltrate the relevant details, such as the credit card number, expiration date, and CVV, to an external server under the attacker’s control (“railgunmisaka[.]com”) without attracting the attention of fraud detection systems.
“While the name might raise eyebrows to native speakers (‘disgrasya’ is Filipino slang for ‘disaster’ or ‘accident’), it’s an apt characterization of a package that executes a multi-step process emulating a legitimate shopper’s journey through an online store in order to test stolen credit cards against real checkout systems without triggering fraud detection,” Socket said.
“By embedding this logic inside a Python package published on PyPI and downloaded over 34,000 times, the attacker created a modular tool that could be easily used in larger automation frameworks, making disgrasya a powerful carding utility disguised as a harmless library.”
