Card-skimming schemes, also known as Magecart attacks, have become a common threat in a world dominated by e-commerce.
We see a padlock icon or purchase products from popular brands and we may not consider cybersecurity at all -- but as a recent spate of Magecart campaigns has highlighted, even well-known companies and organizations can fall prey if they fail to keep a close eye on their payment portals and patching processes.
When established corporations such as Ticketmaster and British Airways become victims -- and subsequently, so do their customers -- you know you have a problem on your hands.
Unfortunately, card-skimming attacks are not difficult to pull off and in some cases, can be automated. Threat actors check web domains for vulnerabilities ripe for exploit, take advantage and compromise a domain, and plant JavaScipt code in payment-related pages to harvest card details as they are submitted before this information is sent to command-and-control (C2) server for sale.
Given the lucrative nature of this fraudulent business, Magecart has expanded from a term describing one group to multiple outfits, and one group, dubbed Fullz House, has recently caught the attention of researchers.
On Tuesday, RiskQ published a report into the activities of Fullz House and recent changes to their modus operandi.
Fullz House used to specialize in phishing but have now decided to double-dip by bringing its skills from the phishing ecosystem into the world of card-skimming.
The group operates an underground trading post called "BlueMagicStore" which sells "fullz," also known as full packages of information, including both Personally Identifiable Information (FII) and stolen banking data. Recently, Fullz House has pivoted to card skimming to open up "CardHouse," a sales point for credit card information.
During August and September this year, researchers noted an overlap in their attack infrastructure that now combines both operations.
The phishing side of attacks generally favor PayPal and mimic payment providers on fraudulent domains. Interestingly, now with a push into card skimming, the cybercriminals have written their own skimmer code -- something that RiskIQ says is now a rare occurrence.
Fullz House's creation is more primitive than many pre-made skimmers you can buy online. The researchers say that the code's functionality is similar to the first kinds of skimmer spotted back in 2014, in which input fields are checked for changes, rather than waiting for a victim to complete a purchase.
"This implementation is primitive and works more like a keylogger with data validation than a skimmer," the team says. "These criminals are new at skimming and figuring it out as they go."
However, the skimmer does come with an interesting twist. Leaning on its phishing skills, the cyberattack group also sets up fake payment pages on the same domains as their skimmers and redirects victims to legitimate payment processors after information has been stolen, thereby performing a kind of Man-in-The-Middle (MiTM) attack to steal payment data in some cases.
Despite attempts to hide their activities behind new Cloudflare infrastructure, RiskQ is still able to track them due to failures to hide their old setups.
A link with StewieShop has also been found during an investigation of Fullz House activities. StewieShop is a carding store that shares IP space with Fullz House shops, alongside a dump store called The Infinity Base.
While it is difficult to firmly establish the owners of underground criminal shops, the team says they "feel strongly there is a deep connection amongst them."
"The Fullz group crossed over from the phishing ecosystem to bring an entirely new skill set to the online skimming game," RiskIQ says. "Ultimately, the picture that emerges is of a well-connected group that has access to bulletproof hosting, is schooled in the world of phishing, and, although new to web-skimming, has the cunning to make a niche for themselves."
Previous and related coverage
- Old Magecart web domains resurrected for fraudulent ad schemes
- Macy's suffers online Magecart card-skimming attack, data breach
- Magecart strikes again: hotel booking websites come under fire
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0