[BreachExchange] UltraRank Digital Skimming Group Hit Hundreds of Sites

[Destry Winant]

https://www.infosecurity-magazine.com/news/ultrarank-digital-skimming-group/

 Security researchers have uncovered a major new digital skimming
group responsible for compromising hundreds of websites and multiple
suppliers in a five-year period.

Dubbed “UltraRank” by Singapore-based security outfit Group-IB, the
group’s activity was previously associated with Magecart Groups 2, 5
and 12, according to a new blog post.

However, these were in fact separate campaigns by UltraRank, with
number two dating back to 2015 and number 12 ongoing to this day, the
vendor claimed.

Over that time, the group changed its infrastrucrture and malware,
throwing researchers off the scent. However, some elements stayed the
same.

“In all three campaigns similar mechanisms to hide the threat actors’
server location and resembling patterns of domain registration were
used. In addition, several storage locations for malicious code with
identical contents were discovered in all the campaigns,” noted
Group-IB.

“What distinguishes the three operations is the choice of JS sniffer
family employed — FakeLogistics in Campaign 2, WebRank in Campaign 5
and SnifLite in Campaign 12.”

Unusually for digital skimmer groups, UltraRank attacked both
individual websites/organizations and supply chain players. Group-IB
claimed to have identified 691 separate websites infected by the group
plus 13 third-party providers of services including advertising and
browser notification, web design, marketing and website development.

UltraRank “went far beyond the notion of ordinary JS sniffer
operators,” by developing a separate business model. Rather that
laundering funds by buying and reselling expensive goods, or selling
to carders, the group monetized stolen data through an affiliated card
shop: ValidCC.

Group-IB claimed that the administrator of ValidCC appears to be a
Russian speaker.

ValidCC claims to have made $5000-$7000 per day in one week in 2019.

The JS-sniffer market is seeing massive interest on the cybercrime
underground, with the number of distinct malware families having
doubled over the past year to reach 96 today, Group-IB warned.

“Today, JS sniffers represent the end product of the evolution of
tools intended for the compromise of bank card data, considerably
decreasing the resource-intensity of such attacks,” concluded the
firm’s threat intelligence analyst, Victor Okorokov.

“In the coming years, we will definitely see the growth in the use of
this malicious instrument since many online shops and service
providers still neglect their cybersecurity, using outdated CMSs that
have vulnerabilities.”