Boom! Mobile falls prey to Magecart card-skimming attack

Researchers say the website is still compromised, placing consumers at risk.

Cybersecurity: Even the professionals spill their data secrets

A mobile network operator has fallen victim to a Magecart campaign designed to steal consumer financial data. 

Malwarebytes researchers said on Monday that one of the latest organizations targeted by a Magecart group is Boom! Mobile, of which the firm's US website has been compromised and is, at the time of writing, actively being used to harvest shopper information. 

The researchers said that Boom!, a mobile operator that claims transparency and ease-of-use as their main selling points, has so far not responded to efforts to wipe out the Magecart infection. 

Magecart is an umbrella term describing credit-card skimmer attacks and numerous cyberthreat groups that now specialize in this area. Typically, attacks are performed by exploiting a vulnerability in a website domain -- including back-end content management systems (CMS) -- in order to load JavaScript-based scripts able to skim data.

See also: Today's 'mega' data breaches now cost companies $392 million to recover from

In order to avoid detection for as long as possible, threat actors may limit the injection of skimmer code to payment portal pages. 

Once card data has been stolen and whisked away to an attacker-controlled command-and-control server (C2), this information can be sold on in bulk, used to create clone cards, or to conduct fraudulent purchases.  

Previous victims of Magecart attacks include Ticketmaster and British Airways.

Malwarebytes says that in Oklahoma-based Boom! Mobile's case, one of the cybersecurity firm's crawlers found a one-line code injection containing a Base64 encoded URL leading to an external JavaScript library.

Once decoded, the URL loads a script disguised as a Google Analytics element while using the link paypal-debit[.]com/cdn/ga.js.

CNET: Huawei ban timeline: UK finds flaw of 'national significance' in Huawei tech

"We quickly recognize this code as a credit card skimmer that checks for input fields and then exfiltrates the data to the criminals," the researchers said. 

The skimmer itself, however, is far from quiet. Rather than silently grab a large swathe of data and send it in one go, data is exfiltrated every time changes are detected in fields on a page -- such as those used to input card details. The team noted that each leak can be viewed as a separate GET request.

It is possible that the website's compromise was due to the use of an old version of PHP that is no longer supported. 

The group believed to be responsible relates to Fullz House, who have been previously traced to Magecart attacks using the same malicious domain and code. Fullz is a slang term used to describe data dumps containing 'full' stolen personally identifiable information (PII) and payment card data.  

TechRepublic: Top 5 things to know about Confidential Computing

RiskIQ published a report on Fullz House in 2019. The group has diversified into both phishing and card-skimming campaigns but overlaps in domain and IP infrastructure have allowed researchers to connect the dots. In September, new fraudulent domains were registered by the group.

Malwarebytes has reported the active infection to the mobile service provider via live chat and email, but as of now, the company has not responded. 

"Their website is still compromised and online shoppers are still at risk," the team added. 

ZDNet has reached out to Boom! Mobile for comment and will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0