‘UltraRank’ cybercrime gang behind JS sniffer campaigns previously linked to Magecart

4 years ago 183
BOOK THIS SPACE FOR AD
ARTICLE AD

New report details how previously unknown group masterminded attacks

UltraRank cybercrime gang behind payment card data thefts previously linked to Magecart

A sophisticated cybercrime group generating more than $5,000 a day via JS sniffer infections was behind a trio of campaigns attributed to separate Magecart groups.

This is according to threat intel outfit Group-IB, which today (August 27) released a report on the threat actors.

Dubbed ‘UltraRank’ by the cyber investigations firm, the gang has compromised 691 websites and 13 third-party suppliers in Europe, Asia, and North and Latin America since it was established five years ago.

Third-party victims have included marketing agencies, web design agencies, website developers, and browser notification services, the findings state.

Misattributed attacks

An investigation concluded that UltraRank was responsible for a trio of campaigns that were previously linked to separate Magecart groups.

Security researchers had misattributed the attacks because UltraRank has frequently changed its infrastructure and malicious code, according to Group-IB.

The campaigns, one of which is still active, also used different JS sniffer families: FakeLogistics, WebRank, and SnifLite.

READ MORE JavaScript sniffer slingers duke it out to control vulnerable websites

However, Group-IB’s intel analysts suspected that the attacks were the handiwork of a single actor when they noticed similarities in domain registration patterns and the mechanisms used to hide the command-and-control server’s location.

The campaigns also stored malicious code in multiple storage locations using different domain names, and launched complex supply chain attacks with single-target infections – as was the case in the attack against the website of Block & Company, North America’s largest manufacturer of cash handling products.

JS (JavaScript) sniffers are a form of malware designed to steal payment card data from online stores.

The number of JS sniffer families has more than doubled in under a year and a half, from 38 in March 2019 to 96 today, according to Group-IB research.

Innovative business model

Eschewing the approach of other JS sniffer operators – buying and reselling luxury goods or cooperating with third-party carders – UltraRank instead sells card data through an affiliated card shop, ValidCC, that has similar infrastructure to the group.

During one week in 2019, the store generated daily revenues of $5,000-$7,000 from the sale of bank card data and paid $25,000-$30,000 to third-party suppliers of stolen payment data, according to the card shop’s own statistics.

The researchers linked the card shop to UltraRank after noticing that it appeared shortly before the first JS sniffer campaign was launched.

The researchers found comments posted on underground forums by ‘SPR’, purporting to be a representative of ValidCC, that claimed that most of the ill-gotten data was obtained through JS sniffer infections. This individual also alternated between posting messages in English and Russian.

The investigation’s first breakthrough came in February, with the discovery that at least five websites created by US marketing company The Brandit Agency using the Magento ecommerce platform – including that of T-Mobile – had been infected with JS sniffers downloaded from the same website.

UltraRank’s sophistication shows how cybercriminals have raised ‘customer’ service standards and are continually “fine-tuning and simplifying the instruments for solving specific tasks”, said Group-IB threat intelligence analyst Victor Okorokov in a press release promoting the report.

The latest JS sniffer families have also significantly increased the efficiency of attacks on e-commerce stores, he suggested.

“In the coming years, we will definitely see the growth in the use of this malicious instrument since many online shops and service providers still neglect their cybersecurity, using outdated CMS’ that have vulnerabilities,” added Okorokov.

The Daily Swig has contacted Group-IB with additional questions and will update the article if and when we receive a response.

RELATED Fila UK website ‘infected with card-skimming code’

Read Entire Article