Fullz House Phishing Attack
Cybercrime is a serious threat to our way of life. As digital tech booms and every aspect of our life goes digital, the need for serious cybercrime fighting becomes all that more critical. And while corporates and organizations have become alert and are increasing spending on tech solutions to limit and prevent cybercrime, the fact is cybercriminals are becoming smarter with their attacks. The Fullz House Phishing Attack Targets Boom! Mobile is an example of these attacks.
In fact, according to Cybersecurity Ventures, by 2021 the damage inflicted by cybercrime is expected to touch $6 trillion! In the midst of all this, an added risk factor has been the Covid-19 pandemic. Instances of cybercrime have seen a sharp rise during this period primarily driven by the fact that there are more online transactions which has provided cybercriminals with wider opportunities of hacking and stealing financial and personal data.
As businesses and corporates advocated work from home for their staff, this again opened up another opportunity for criminals to steal data.
So be it an individual or an organization – you are at risk. Here’s a recent classic example of how cybercriminals can impact your life by targeting corporations and businesses.
Malicious Code on Boom! Mobile Website Checkout Page
Boom! Mobile, a wireless provider reselling mobile plans to customers became one of the most recent victims of a cyber-attack. Now Boom! Mobile essentially resells mobile plans from major providers including AT&T, T-Mobile USA, and Verizon. However, customers were put to risk of payment-card theft because of a malicious code on the checkout page of the company’s website. The code was designed to harvest customer information.
The attack came from the Fullz House group and the attempt was similar to Magecart group attacks. Magecart is a fast growing syndicate of groups of cybercriminals who specialize in targeting online shopping cart systems to harvest customer payment card data.
The incident came to light when Malewarebytes crawlers discovered that the Boom! Mobile website was hosting the malicious code on their checkout page.
According to Malewarebytes their crawlers discovered “the boom[.]us, had been injected with a one-liner that contains a Base64 encoded URL loading an external JavaScript library. Once decoded, the URL loads a fake Google Analytics script from paypal-debit[.]com/cdn/ga.js. We quickly recognize this code as a credit card skimmer that checks for input fields and then exfiltrates the data to the criminals.”
According to Malewarebytes researchers, “Most victims of Magecart-based attacks tend to be typical online shops selling various goods. However, every now and again we come across different types of businesses which were affected simply because they happened to be vulnerable.”
Possible entry points for placing the malicious code according to Malewarebytes researchers, could have been the use of PHP version 5.6.40, which expired in January 2019. However, another plugin with similar vulnerabilities could also easily have been a point of entry for the malicious code.
On the credit-card skimmer used in this attack, the researchers further stated that “the skimmer is highly detectable, because it exfiltrates data every time it detects a change in the fields displayed on the page – i.e., whenever someone types something in. As a result, it lacks stealth: “From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded,”
Upon detecting the breach, Malewarebytes immediately informed Boom! Mobile about the incident both via email and live chat. It is to be seen whether or not the company has plugged the stated vulnerabilities in their system to secure customers and to ensure adequate protection from future attacks.
Fullz House – A Known Threat Actor
Malewarebytes said that they were familiar with Fullz House which they recognized from a previous episode. At that time they were tracking a thereat group based on the increase in the activity of the group in registering domains for the purpose of driving skimming and phishing campaigns.
RiskIQ took notice of Fullz House when they discovered the group shifting from their original ecosystem of phishing to card skimming. The group carries out its operations in two parts:
- Generic phishing which involves selling “fullz” and is carried out on their store “BlueMagicStore.” Fullz is a term used by criminals and resellers of data which simply means complete packages of identifying information of individuals. (Source)
- Card skimming is an operation involving the selling of credit card information which is carried out via their carding store “CardHouse.” (Source)
While Fullz House has been a known player in the phishing space, the activities of the group started picking up speed sometime during August-September of 2019.
As such RiskIQ has been continually tracking Magecart groups that are emerging armed with advanced and unique code and tools. This has enabled them to effectively expand their Magecart base knowledge which in turn has given them a more in-depth understanding of how to track and identify Magecart as well as other similar forms of web skimming, including Fullz House.
Web Skimming – What You need to know
Web skimming delivers fantastic profits and for this reason cyber criminals are driven to discover new tools and solutions that can be used for phishing. This in turn has pushed governments across the globe, corporations, businesses, and tech companies to take greater notice of security breaches in their systems that could endanger customer, employee data as well as pose a threat to a given organization.
Most e-commerce stores prefer to outsource their financial transactions to secure pages that are run and managed by payment service providers (PSPs). One of the primary reasons for doing this is because in the event the e-commerce site is breached, the customer will be securely directed to alternative payment options such as Visa gateways, or PayPal to complete their payment.
However, cybercriminals are now altering and improving their phishing techniques to break-through security systems.
A Few Things You can do to Protect yourself
- Make sure you closely monitor your account statements, so you know what payments are going out of your account.
- Turn on transaction notifications – again, this will help you track any outgoing payments from your account.
- Use virtual card numbers when shopping online or if possible pay with your mobile phone – payment options such as Google Pay and Apple Pay use a mechanism in which your real card number is replaced with a temporary number effectively securing your original card number.
- If possible, use an alternative online wallet which does not ask you to fill in your card details in the checkout page of the concerned shopping site.
Click Here To Read Other Recent Articles: