'UltraRank' Gang Sells Card Data It StealsGroup-IB Finds Hacking Group Attacked Hundreds of Checkout Sites
See Also: 2021 Cyberthreat Defense Report
Unlike other cybercriminal gangs under the "Magecart" umbrella that steal payment card data from ecommerce sites and then sell that information to a third-party carding site or use it to buy goods, UltraRank created its own carding shop called ValidCC that sells the stolen credit card data to other fraudsters, the report notes.
During a single week in 2019, for example, the gang collected between $5,000 and $7,000 a day by selling payment card data that it had stolen from e-commerce sites, says Victor Okorokov, a threat intelligence analyst with Group-IB. Researchers monitored the ValidCC underground forum, including notes published by one member nicknamed "SPR," who communicates with potential buyers.
"Group-IB can judge the group's potential income based on the internal statistics released by one of the card shop's representatives," Okorokov tells Information Security Media Group. "Thus in a single week in late 2019, their weekly revenues appear to have totaled up to $50,000."
"The fact that the cybercriminals have their own card shop to monetize the data indicates that from a secondary online threat, JS-sniffers turned into a complex one backed by organized crime," Okorokov says.
And while UltraRank has been in operation since at least 2015, the Group-IB report notes that several of its campaigns continue to operate.
The researchers say that the hacking group could be responsible for attacks on nearly 700 e-commerce sites as well as 13 third-party suppliers located in North America, Europe, Asia and other parts of the world. By attacking the suppliers, UltraRank could have infected thousands of other e-commerce sites because these suppliers provide services, such as website design and content management system development, for e-commerce companies.
Once those attacks were uncovered, Group-IB began to trace UltraRank's operations and infrastructure over the course of the last five years, including the creation of the underground carding site. As part of this investigation, the analysts also found the group's malicious code on 277 e-commerce sites created by French ad network Adverline.
Since discovering UltraRank's activities, Group-IB has alerted the owners of many of these e-commerce sites as well as law enforcement in the U.S. and elsewhere, Okorokov says.
A Powerful Criminal Group
"The group in the focus of Group-IB's report was previously perceived by cybersecurity researchers as three different Magecart groups due to its frequent and drastic changes of infrastructure," Okorokov tells ISMG. "The continuous monitoring of underground forums and card shops, thorough analysis of the maximum possible number of existing JS sniffer samples, as well as the search for new website infections enabled Group-IB experts to determine that these were simply three separate campaigns of the same hacker group."
As part of its analysis, the Group-IB researchers looked at three campaigns linked to UltraRank. The earliest of these dates to 2015, while the newest started in September 2018 and continues to this day, according to the report. UltraRank is likely to have been involved in other skimming attacks as well, the researchers say.
"By injecting malicious code into the scripts of the products offered by these companies, which were subsequently placed on the web resources of online stores, cybercriminals were able to intercept customer bank card data on all online stores where the infected scripts were used," the Group-IB report notes.