The credit card skimming group Fullz House has compromised the website of US mobile virtual network operator (MVNO) Boom! Mobile in a classic MageCart attack.
Boom! Mobile offers postpaid and prepaid no-contract wireless service plans to its customers that allow them to use the lines of the nation’s largest cellular networks including AT&T, T-Mobile, and Verizon.
The Fullz House hackers injected an e-skimmer into the website and unfortunately, the malicious software has yet to be removed.
The e-skimmer was first spotted by researchers at Malwarebytes’ Threat Intelligence Team, the researchers noticed a single line of code that is used to load an external JavaScript library from paypal-debit[.]com/cdn/ga.js.
“Our crawlers recently detected that their website, boom[.]us, had been injected with a one-liner that contains a Base64 encoded URL loading an external JavaScript library.” reads the analysis published by Malwarebytes. “Once decoded, the URL loads a fake Google Analytics script from paypal-debit[.]com/cdn/ga.js. We quickly recognize this code as a credit card skimmer that checks for input fields and then exfiltrates the data to the criminals.”
The malicious software collects payment card information provided by the users, then exfiltrates the harvested data as a Base64 encoded GET request.
Researchers believe that the Fullz House Magecart group has compromised the Boom’s website by exploiting a vulnerability in the PHP version 5.6.40 used by the company, which is no more supported since January 2019.
The experts attempted to report the compromise to Boom! Mobile without success.
The Fullz House group was first spotted by security experts at RiskIQ in November 2019, when it was using phishing and web skimming for its attacks. Since August-September of 2019, the group started using a hybrid technique that leverages on MiTM and phishing attacks to target sites using external payment processors.
Hacker groups under the Magecart umbrella continue to target to steal payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010.
According to a joint report published by RiskIQ and FlashPoint in 2019, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.
MalwareBytes researchers also shared Indicators of Compromise for this attack in its analysis.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, e-skimmer)
[adrotate banner=”5″]
[adrotate banner=”13″]