Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime

'UltraRank' Targets More E-Commerce Sites

Group Uses JavaScript Sniffer to Steal Payment Card Data
'UltraRank' Targets More E-Commerce Sites

A cybercriminal gang known as "UltraRank" has launched a new campaign, targeting at least a dozen e-commerce sites to steal payment card data using a JavaScript sniffer, says security firm Group-IB.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

This new series of attacks, which began in November, uses a relatively new JavaScript-sniffer called SnifLite, according to Group-IB. The firm’s researchers contacted all the companies affected, but as of Wednesday, eight of the targeted sites remained infected with the malicious JavaScript code, they say.

"We assume that the gang will continue the infections as part of this campaign, as their operations in the past followed the same pattern of infections distributed over time," says Viktor Okorokov, threat intelligence and attribution analyst at Group-IB.

Over the last five years, UltraRank has targeted more than 700 e-commerce sites as well as 13 third-party suppliers in North America Europe, Asia and Latin America, Okorokov says.

In September, researchers at Group-IB discovered that the group had created its own carding shop called ValidCC that sells the stolen payment card data directly to other fraudsters (see: 'UltraRank' Gang Sells Card Data It Steals).

Attack Tactics

Group-IB notes the latest campaign apparently began with the UltraRank hackers using compromised content management system credentials to get access to the back-end infrastructure of e-commerce site’s checkout functions.

The hacking group stores the SnifLite skimmer on a website that mimics a legitimate Google Tag Manager domain to better hide the attack from security tools.

UltraRank, which has been using the SnifLite skimmer since 2019, previously deployed it to target a French advertising network called Adverline.

The domain that hides the JavaScript skimmer is hosted by an organization called Media Land LLC, which is connected with a bullet-proof hosting company, according to Group-IB.

Once an ecommerce site is infected with the JavaScript sniffer, the malware queries the infected site for words such as "checkout," "store," "cart" and "pay" to identify the payment card data, the researchers note.

"Another difference [with this JavaScript sniffer] is the extended list of keywords in several languages used to check the URL of the page the user is on," Okorokov says. "The JS sniffer gets activated once it's certain that it's a check-out page."

The SnifLite skimmer stores stolen payment card data in a local file called "google.verify.cache.001." In the final stage of the attack, the exfiltrated data is extracted from this local file and sent back to the UltraRank group, the Group-IB report notes.

Far-Reaching Attacks

The Group-IB researchers, who have been tracking UltraRank since February, has found that many attacks attributed to the “Magecart” umbrella of skimmer groups over the years actually were the work of one group - UltraRank. The analysts drew their conclusions after examining the evolution of the malicious JavaScript involved in these incidents as well as similar domains used and information described on the underground carding forum, according to the previous report.

UltraRank's malicious code has been found on many other e-commerce sites, including one for the postponed 2020 Tokyo Olympics, according to the report.

In each of the campaigns that it examined, the Group-IB analysts have found malicious JavaScript code that had been injected into e-commerce sites and used to steal payment card data. Each attack had similar methods to hide server locations, dynamically change the IP address and store the JavaScript code at multiple locations using various domain names.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.