Security Experts:

Connect with us

Hi, what are you looking for?



Hackers Inject Skimmer Into Boom! Mobile’s Website

Hackers associated with the “Fullz House” group have compromised the website of Boom! Mobile and planted a web skimmer, Malwarebytes reports.

Hackers associated with the “Fullz House” group have compromised the website of Boom! Mobile and planted a web skimmer, Malwarebytes reports.

The victim, an Oklahoma-based wireless services provider, claims to deliver great customer service and transparency to its users, all without contract. The mobile phone plans it sells work on other big networks in the country.

Initially detailed in November 2019, Fullz House has been active for over a year, focused either on phishing for personally identifiable information, banking credentials, and banking card data, or on skimming or phishing card data from ecommerce sites.

The two parts forming this group’s activity are split, but security researchers did observe in the past overlaps in infrastructure (including overlaps between the infrastructure used for sales operations and that employed for stealing data).

The attack on Boom! Mobile, Malwarebytes reveals, involved the injection of one line of code containing a Base64 encoded URL designed to load a JavaScript library from a remote domain used in a previous attack.

The injected URL, Malwarebytes’ security researchers say, loads a fake Google Analytics script which is nothing more than a credit card skimmer designed to find specific input fields and exfiltrate data from those fields.

“This skimmer is quite noisy as it will exfiltrate data every time it detects a change in the fields displayed on the current page. From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded,” the researchers explain.

Malwarebytes also explains that the attackers have registered a large number of new domains in late September, a pattern that the group has followed before. The group has been active over the summer as well.

Boom! Mobile’s website is running PHP version 5.6.40 (which reached end of support in January last year) and this, or a vulnerable plugin, might have been the point of entry, Malwarebytes notes.

The security firm also says that it reported the incident to the wireless services provider both via live chat and email, but hasn’t heard back and the compromise hasn’t been addressed yet, meaning that Boom! Mobile customers continue to be at risk.

“While Magecart attacks typically target e-commerce retailers, any business collecting credit card numbers and other personal information online is vulnerable. Shadow Code vulnerabilities lurk in third-party and open source libraries commonly used in web applications. Businesses must ensure they have continuous visibility into client-side scripts on their websites in order to detect and stop such digital skimming attacks,” Ameet Naik, security evangelist at PerimeterX, said in an emailed comment.

Related: Magecart Group Hits 570 Websites in Three Years

Related: Hunting for Magecart With

Related: Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.