Boom! Mobile’s U.S. website recently fell victim to an e-commerce attack, putting online shoppers in danger of payment-card theft, researchers said.
Boom! is a wireless provider that resells mobile phone plans from Verizon, AT&T and T-Mobile USA, under its own brand and with its own perks (the company boasts “great customer service” and no contracts). Up until yesterday, the provider’s main website was hosting malicious code, which lurked on the online checkout page and harvested online shoppers’ details.
The approach is reminiscent of core Magecart group attacks, but in this case, the attack was the work of the Fullz House group, according to Malwarebytes, which is a Magecart splinter group that’s mainly known for its phishing prowess.
“Most victims of Magecart-based attacks tend to be typical online shops selling various goods. However, every now and again we come across different types of businesses which were affected simply because they happened to be vulnerable,” Malwarebytes researchers said in a Monday post.
According to a review from Sucuri, boom[.]us was running PHP version 5.6.40, which reached end-of-life in January 2019. As of this writing, the website still has outdated status.
“This may have been a point of entry but any other vulnerable plugin could also have been abused by attackers to inject malicious code into the website,” researchers pointed out.
The Attack
The cybercriminals managed to inject malicious code into Boom!’s web platform, researchers explained.
“Our crawlers recently detected that their website, boom[.]us, had been injected with a one-liner that contains a Base64 encoded URL loading an external JavaScript library,” researchers wrote. “Once decoded, the URL loads a fake Google Analytics script from paypal-debit[.]com/cdn/ga.js. We quickly recognize this code as a credit-card skimmer that checks for input fields and then exfiltrates the data to the criminals.”
The skimmer is highly detectable, because it exfiltrates data every time it detects a change in the fields displayed on the page – i.e., whenever someone types something in. As a result, it lacks stealth: “From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded,” explained the researchers.
In this case, both the exfiltration domain (hosted on Alibaba) and the injected code proved to be familiar; they have turned up in previous Fullz House incidents, including one where the threat actors were using decoy payment portals set up like phishing pages.
Fullz House Back on the Schedule
The group has been analyzed in the past, and gets its name from the use of carding sites to resell “fullz,” an underground slang term meaning a full set of an individual’s personally identifying information plus financial data.
Fullz House was discovered ramping up activity starting in August-September of 2019. It uses a unique codebase and different tactics from the main Magecart variants to carry out its attacks, according to researchers.
Magecart is an umbrella term encompassing several different threat groups who all use the same modus operandi: They compromise websites (mainly built on the Magento e-commerce platform) in order to inject card-skimming scripts on checkout pages, stealing unsuspecting customers’ payment card details and other information entered into the fields on the page.
According to a previous analysis from RiskIQ, Fullz House is known for innovating when it comes to the Magecart blueprint by adding phishing to the mix. It uses generic phishing to gather and sell personal information, for which they have a dedicated store called “BlueMagicStore.” In the web-skimming arena, the group is harvesting financial data during e-commerce checkouts, and selling credit-card information on its carding store, which is named “CardHouse.”
Boom! is certainly not the group’s only target: “In late September, we noticed a number of new domains that were registered and following the same pattern we had seen before with this group,” researchers wrote. “However, this group was quite active in the summer and continues on a well-established pattern seen a year ago.”
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.