Security Experts:

Connect with us

Hi, what are you looking for?



UltraRank Group Stole Card Data From Hundreds of Sites Using JS Sniffers

A sophisticated cybercrime group has stolen payment card data from hundreds of websites over the past five years using JavaScript sniffer malware, threat hunting and intelligence company Group-IB reported on Thursday.

A sophisticated cybercrime group has stolen payment card data from hundreds of websites over the past five years using JavaScript sniffer malware, threat hunting and intelligence company Group-IB reported on Thursday.

Named UltraRank by Group-IB, the threat actor has launched at least three campaigns since 2015, including one that appears to be ongoing. While each campaign relied on different pieces of malware to steal card data, researchers found evidence linking them to the same group, including similar domain registration patterns, mechanisms for hiding servers, and storage locations for malicious code. The malware families observed by Group-IB were named FakeLogistics, WebRank and SnifLite.

“Over five years, UltraRank repeatedly changed its infrastructure and malicious code for stealing bank card data, as a result of which researchers would wrongly attribute its attacks to other threat actors,” Group-IB noted in its report.

The cybersecurity firm’s analysis showed that UltraRank hacked into nearly 700 websites, as well as 13 service providers in the Americas, Europe and Asia. The impacted service providers include web design firms, marketing agencies, and advertising and browser notification services.

In one attack, identified in February 2020, the attackers breached the systems of a US-based marketing firm, The Brandit Agency, and planted their JS sniffers on the websites created by the company for five of its customers, including T-Mobile.

Last year, the cybercriminals compromised over 270 websites after breaching the systems of France-based ad network Adverline. They also targeted Block and Company, the largest manufacturer of cash handling products in North America.

JS sniffer malware is designed to steal payment card information from the customers of online stores. Group-IB says it currently tracks nearly 100 JS sniffer families, more than double compared to a year earlier.

Many cybercrime groups involved in these types of attacks make a profit by using the stolen card data to acquire goods that they can sell, or they sell the card data directly to others. UltraRank, however, has set up its own card shop, called ValidCC. The cybercrime shop made as much as $7,000 in a single day, the cybercriminals claimed last year.

Group-IB said one of the threat group’s representatives used English to write on underground forums, but they would sometimes also communicate in Russian.

Related: Corporate Espionage Group ‘RedCurl’ Launching Targeted Attacks Since 2018

Related: Russian APT ‘Silence’ Steals $3.5 Million in One Year

Related: Threat Actor Sold Access to Networks of 135 Organizations

Related: Financially-Motivated Iranian Hackers Adopt Dharma Ransomware

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...