Magecart’s success in cyberattacks has led threat actors to actively develop and advertise sniffers that can be injected into e-commerce web pages to exfiltrate payment card data. One such sniffer, named R3NIN, has emerged on the threat landscape with notable features and the sniffer-as-a-service model.

Sniffing the e-Commerce

The sniffer’s attack sequence begins when an attacker injects a self-contained malicious script directly into a payment page of an already compromised merchant site.
  • The sniffer malware collects the input variables, converts them to a string, and sends them to the sniffer panel maintained by the attacker for further analysis and exploitation.
  • The attacker leverages iFrame by tricking the victims into entering additional data asked by a fake pop-up window, which is typically not required on a legitimate page.
  • The stolen data is processed in a commercialized format to either sell in underground forums or use it as phishing baits in different attacks.

Some of its top functionalities

  • The sniffer panel has a generator containing malicious conditional script and an extractor that parses all the raw sniffed data and displays it in a clean format. The toolkit can be utilized with the object execution method and remote execution method.
  • Notably, it has features including options to generate custom JavaScript codes for injection, cross-browser exfiltration of compromised payment card data, manage exfiltrated data, check BINs, parse data, and generate statistics.

Sniffer-as-a-service model

According to Cyble researchers, threat actors using the handle r3nin are advertising this ready-to-use toolkit and panel on a Russian-language cybercrime forum.
  • Initially, R3NIN was made available at $1,500 as an introductory price for a limited time, however, the pricing model has since been revised, and now the toolkit access ranges between $3,000 and $4,500.
  • The sniffer developers have launched two variants i.e. version 1.1 and version 1.2 with several improvements and new functionalities, in January.


With the increasing development and sale of customized sniffers, threat actors are now capable of defeating updated security measures and alerts. E-commerce merchants are advised to conduct regular and thorough audits of both their payment pages and servers that communicate with payment gateways to secure them from such compromises.
Cyware Publisher