A mobile network operator has fallen victim to a Magecart campaign designed to steal consumer financial data.
Malwarebytes researchers said on Monday that one of the latest organizations targeted by a Magecart group is Boom! Mobile, of which the firm's US website has been compromised and is, at the time of writing, actively being used to harvest shopper information.
The researchers said that Boom!, a mobile operator that claims transparency and ease-of-use as their main selling points, has so far not responded to efforts to wipe out the Magecart infection.
In order to avoid detection for as long as possible, threat actors may limit the injection of skimmer code to payment portal pages.
Once card data has been stolen and whisked away to an attacker-controlled command-and-control server (C2), this information can be sold on in bulk, used to create clone cards, or to conduct fraudulent purchases.
Previous victims of Magecart attacks include Ticketmaster and British Airways.
Once decoded, the URL loads a script disguised as a Google Analytics element while using the link paypal-debit[.]com/cdn/ga.js.
"We quickly recognize this code as a credit card skimmer that checks for input fields and then exfiltrates the data to the criminals," the researchers said.
The skimmer itself, however, is far from quiet. Rather than silently grab a large swathe of data and send it in one go, data is exfiltrated every time changes are detected in fields on a page -- such as those used to input card details. The team noted that each leak can be viewed as a separate GET request.
It is possible that the website's compromise was due to the use of an old version of PHP that is no longer supported.
The group believed to be responsible relates to Fullz House, who have been previously traced to Magecart attacks using the same malicious domain and code. Fullz is a slang term used to describe data dumps containing 'full' stolen personally identifiable information (PII) and payment card data.
TechRepublic: Top 5 things to know about Confidential Computing
RiskIQ published a report on Fullz House in 2019. The group has diversified into both phishing and card-skimming campaigns but overlaps in domain and IP infrastructure have allowed researchers to connect the dots. In September, new fraudulent domains were registered by the group.
Malwarebytes has reported the active infection to the mobile service provider via live chat and email, but as of now, the company has not responded.
"Their website is still compromised and online shoppers are still at risk," the team added.
ZDNet has reached out to Boom! Mobile for comment and will update when we hear back.
Previous and related coverage
- Working from home causes surge in security breaches, staff 'oblivious' to best practices
- Cybersecurity 101: Protect your privacy from hackers, spies, and the government
- Two North American hospitality merchants hacked in May and June
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0