Security researchers have uncovered a major new digital skimming group responsible for compromising hundreds of websites and multiple suppliers in a five-year period.
Dubbed “UltraRank” by Singapore-based security outfit Group-IB, the group’s activity was previously associated with Magecart Groups 2, 5 and 12, according to a new blog post.
However, these were in fact separate campaigns by UltraRank, with number two dating back to 2015 and number 12 ongoing to this day, the vendor claimed.
Over that time, the group changed its infrastrucrture and malware, throwing researchers off the scent. However, some elements stayed the same.
“In all three campaigns similar mechanisms to hide the threat actors’ server location and resembling patterns of domain registration were used. In addition, several storage locations for malicious code with identical contents were discovered in all the campaigns,” noted Group-IB.
“What distinguishes the three operations is the choice of JS sniffer family employed — FakeLogistics in Campaign 2, WebRank in Campaign 5 and SnifLite in Campaign 12.”
Unusually for digital skimmer groups, UltraRank attacked both individual websites/organizations and supply chain players. Group-IB claimed to have identified 691 separate websites infected by the group plus 13 third-party providers of services including advertising and browser notification, web design, marketing and website development.
UltraRank “went far beyond the notion of ordinary JS sniffer operators,” by developing a separate business model. Rather that laundering funds by buying and reselling expensive goods, or selling to carders, the group monetized stolen data through an affiliated card shop: ValidCC.
Group-IB claimed that the administrator of ValidCC appears to be a Russian speaker.
ValidCC claims to have made $5000-$7000 per day in one week in 2019.
The JS-sniffer market is seeing massive interest on the cybercrime underground, with the number of distinct malware families having doubled over the past year to reach 96 today, Group-IB warned.
“Today, JS sniffers represent the end product of the evolution of tools intended for the compromise of bank card data, considerably decreasing the resource-intensity of such attacks,” concluded the firm’s threat intelligence analyst, Victor Okorokov.
“In the coming years, we will definitely see the growth in the use of this malicious instrument since many online shops and service providers still neglect their cybersecurity, using outdated CMSs that have vulnerabilities.”