Account Takeover Fraud , Cybercrime , Fraud Management & Cybercrime
'UltraRank' Gang Sells Card Data It Steals
Group-IB Finds Hacking Group Attacked Hundreds of Checkout SitesA cybercriminal gang dubbed "UltraRank" that has planted malicious JavaScript code in hundreds of e-commerce websites around the world over the last five years to steal payment card data also takes the unusual step of selling the data on its own, the security firm Group-IB reports.
See Also: The State of OT Security: A Comprehensive Guide to Trends, Risks, and Cyber Resilience
Unlike other cybercriminal gangs under the "Magecart" umbrella that steal payment card data from ecommerce sites and then sell that information to a third-party carding site or use it to buy goods, UltraRank created its own carding shop called ValidCC that sells the stolen credit card data to other fraudsters, the report notes.
During a single week in 2019, for example, the gang collected between $5,000 and $7,000 a day by selling payment card data that it had stolen from e-commerce sites, says Victor Okorokov, a threat intelligence analyst with Group-IB. Researchers monitored the ValidCC underground forum, including notes published by one member nicknamed "SPR," who communicates with potential buyers.
"Group-IB can judge the group's potential income based on the internal statistics released by one of the card shop's representatives," Okorokov tells Information Security Media Group. "Thus in a single week in late 2019, their weekly revenues appear to have totaled up to $50,000."
The criminal group’s operation of its own underground site to sell payment card data is a significant leap in sophistication compared to other Magecart cybercriminal groups that use malicious JavaScript - also called JS-sniffers - to skim this data from e-commerce checkout sites.
"The fact that the cybercriminals have their own card shop to monetize the data indicates that from a secondary online threat, JS-sniffers turned into a complex one backed by organized crime," Okorokov says.
And while UltraRank has been in operation since at least 2015, the Group-IB report notes that several of its campaigns continue to operate.
The researchers say that the hacking group could be responsible for attacks on nearly 700 e-commerce sites as well as 13 third-party suppliers located in North America, Europe, Asia and other parts of the world. By attacking the suppliers, UltraRank could have infected thousands of other e-commerce sites because these suppliers provide services, such as website design and content management system development, for e-commerce companies.
The Investigation
The Group-IB analysts were tipped off to the UltraRank group in February, when they found five websites created by Florida-based Brandit Agency had been infected with malicious JavaScript, according to the report.
Once those attacks were uncovered, Group-IB began to trace UltraRank's operations and infrastructure over the course of the last five years, including the creation of the underground carding site. As part of this investigation, the analysts also found the group's malicious code on 277 e-commerce sites created by French ad network Adverline.
The Group-IB report notes that UltraRank's malicious code also appeared on numerous ticketing sites for sporting events, such as the 2020 Olympics, which were later canceled due to concerns over the COVID-19 pandemic, according to the report. Many of the targeted sites were built using Adobe's Magento content management system (see: Surge in JavaScript Sniffing Attacks Continues).
Since discovering UltraRank's activities, Group-IB has alerted the owners of many of these e-commerce sites as well as law enforcement in the U.S. and elsewhere, Okorokov says.
A Powerful Criminal Group
When Group-IB started its investigation in February, the analysts found that many attacks attributed to various Magecart groups over the years were actually the work of one group - UltraRank. The analysts drew their conclusions after examining the evolution of the malicious JavaScript involved in these incidents as well as similar domains used and information described on the underground carding forum, Okorokov says.
"The group in the focus of Group-IB's report was previously perceived by cybersecurity researchers as three different Magecart groups due to its frequent and drastic changes of infrastructure," Okorokov tells ISMG. "The continuous monitoring of underground forums and card shops, thorough analysis of the maximum possible number of existing JS sniffer samples, as well as the search for new website infections enabled Group-IB experts to determine that these were simply three separate campaigns of the same hacker group."
As part of its analysis, the Group-IB researchers looked at three campaigns linked to UltraRank. The earliest of these dates to 2015, while the newest started in September 2018 and continues to this day, according to the report. UltraRank is likely to have been involved in other skimming attacks as well, the researchers say.
In each of the three campaigns, the Group-IB analysts found malicious JavaScript code that had been injected into online e-commerce sites and used to steal payment card data. Each attack had similar methods to hide server locations, dynamically change the IP address and store the JavaScript code at multiple locations using various domain names, according to the report.
"By injecting malicious code into the scripts of the products offered by these companies, which were subsequently placed on the web resources of online stores, cybercriminals were able to intercept customer bank card data on all online stores where the infected scripts were used," the Group-IB report notes.