Update (2020-10-05): The malicious code has been removed from Boom! Mobile's website
Most victims of Magecart-based attacks tend to be typical online shops selling various goods. However, every now and again we come across different types of businesses which were affected simply because they happened to be vulnerable.
Today we take a quick look at a mobile operator who offers cell phone plans to its customers. Their website lets you shop for devices and service with the well known shopping cart experience.
However, criminals related to the Fullz House group that was previously documented for their phishing prowess managed to inject malicious code into the platform and thereby capture data from unaware online shoppers.
Boom! Mobile is a wireless provider that sells mobile phone plans that operate on the big networks. The Oklahoma-based business advertises great customer service, transparency, and no contracts.
Once decoded, the URL loads a fake Google Analytics script from paypal-debit[.]com/cdn/ga.js. We quickly recognize this code as a credit card skimmer that checks for input fields and then exfiltrates the data to the criminals.
This skimmer is quite noisy as it will exfiltrate data every time it detects a change in the fields displayed on the current page. From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded.
Known threat actor
We recognized this domain and code from a previous incident where threat actors were using decoy payment portals set up like phishing pages.
RiskIQ tracked this group under the nickname "Fullz House" due to its use of carding sites to resell "fullz," a term used by criminals referring to full data packages from victims.
In late September, we noticed a number of new domains that were registered and following the same pattern we had seen before with this group.
However this group was quite active in the summer and continues on a well established pattern seen a year ago. Those domains are on AS 45102 (Alibaba (US) Technology Co., Ltd.), also previously documented by Sucuri.
According to Sucuri, boom[.]us is running PHP version 5.6.40 which was no longer supported as of January 2019. This may have been a point of entry but any other vulnerable plugin could also have been abused by attackers to inject malicious code into the website.
We reported this incident both via live chat and email to Boom! Mobile but have not heard back from them at the time of writing. Their website is still compromised and online shoppers are still at risk.
Malwarebytes Browser Guard was already blocking the skimmer before we detected this incident, therefore prevent the remote script from loading its malicious code.
Indicators of Compromise