Hackers associated with the “Fullz House” group have compromised the website of Boom! Mobile and planted a web skimmer, Malwarebytes reports.
The victim, an Oklahoma-based wireless services provider, claims to deliver great customer service and transparency to its users, all without contract. The mobile phone plans it sells work on other big networks in the country.
Initially detailed in November 2019, Fullz House has been active for over a year, focused either on phishing for personally identifiable information, banking credentials, and banking card data, or on skimming or phishing card data from ecommerce sites.
The two parts forming this group’s activity are split, but security researchers did observe in the past overlaps in infrastructure (including overlaps between the infrastructure used for sales operations and that employed for stealing data).
The attack on Boom! Mobile, Malwarebytes reveals, involved the injection of one line of code containing a Base64 encoded URL designed to load a JavaScript library from a remote domain used in a previous attack.
The injected URL, Malwarebytes’ security researchers say, loads a fake Google Analytics script which is nothing more than a credit card skimmer designed to find specific input fields and exfiltrate data from those fields.
“This skimmer is quite noisy as it will exfiltrate data every time it detects a change in the fields displayed on the current page. From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded,” the researchers explain.
Malwarebytes also explains that the attackers have registered a large number of new domains in late September, a pattern that the group has followed before. The group has been active over the summer as well.
Boom! Mobile’s website is running PHP version 5.6.40 (which reached end of support in January last year) and this, or a vulnerable plugin, might have been the point of entry, Malwarebytes notes.
The security firm also says that it reported the incident to the wireless services provider both via live chat and email, but hasn’t heard back and the compromise hasn’t been addressed yet, meaning that Boom! Mobile customers continue to be at risk.
“While Magecart attacks typically target e-commerce retailers, any business collecting credit card numbers and other personal information online is vulnerable. Shadow Code vulnerabilities lurk in third-party and open source libraries commonly used in web applications. Businesses must ensure they have continuous visibility into client-side scripts on their websites in order to detect and stop such digital skimming attacks,” Ameet Naik, security evangelist at PerimeterX, said in an emailed comment.
Related: Magecart Group Hits 570 Websites in Three Years
Related: Hunting for Magecart With URLscan.io
Related: Magecart Attacks on Claire’s and Other U.S. Stores Linked to North Korea