Show vulnerabilities with patch / with exploit
28 November 2019

Fullz House threat group mixes phishing and web skimming to maximize profits


Fullz House threat group mixes phishing and web skimming to maximize profits

A group under the Magecart umbrella, known as Fullz House, has switched its focus from solely selling 'Fullz' (full packages of information) to card skimming attacks mixing MiTM and phishing attacks to target sites using external payment processors.

Fullz House is not a new player on the cybercriminal scene, according to researchers from cyber security firm RiskIQ. The threat group has been operating "BlueMagicStore", an underground trading store selling "fullz" or full packages of information, including personally identifiable information and stolen banking data. Fullz House also operates another trading store called "CardHouse" focused on selling credit card details. However, during August and September this year, researchers noticed an overlap in the group’s attack infrastructure that now combines phishing and web skimming techniques.

The researchers said that at least a portion of BlueMagicStore’s wares comes from phishing campaigns aimed at customers of various financial institutions. While the phishing pages are relatively typical, they are reconstructions, not direct copies of the payment provider(s) pages, also, the pages are part of a framework. Fullz House created different templates mimicking every payment provider, with single backend handling all of them. Although the group targets multiple domains, generally it prefers PayPal.

According to RiskIQ, unlike other threat groups operating under Magecart umbrella, Fullz House developed its own skimmer – a rare occurrence nowadays, as the majority of criminals prefer pre-made skimmer kits built by others, and only a few operators now maintain their own skimming code.

However, the implementation of the Fullz House skimmer appears somewhat primitive, with code functionality resembling the first kinds of skimmers discovered back in 2014. The researchers say that the skimmer works more like keylogger, waiting for an input change to see whether there is data to steal. The gathered info then sent to a “drop location” where the criminals collect it.

“Despite their primitive skimmers, Fullz House has also innovated, leveraging their unique cybercrime know-how to introduce a clever technique that performs a man-in-the-middle (mitm) attack on e-commerce transactions,” the researchers noted.

The attack works like this: the group sets up a page with a template mimicking a known payment processor. When victims attempt to purchase something on a compromised store, the e-commerce redirects them to a fake payment page used to trick victims to finalize the payment. Once the visitor enters their payment information on the rogue page and hits the “Pay” button, the data is sent to the attacker’s server, and the user is then redirected to a legitimate payment processor’s page where they can complete the purchase.

“The Fullz group crossed over from the phishing ecosystem to bring an entirely new skill set to the online skimming game. Creating fake external payment pages masquerading as legitimate financial institutions and then redirecting victims to these phishing pages to fill out their payment data adds a new element to the web-skimming landscape. This new skimming/phishing hybrid threat tactic means that even stores that send customers to external payment processors are vulnerable,” the research team warned.

Back to the list

Latest Posts

Vulnerability summary for the week: July 10, 2020

Vulnerability summary for the week: July 10, 2020

Weekly vulnerability digest.
10 July 2020
Evilnum, FIN6, and Cobalt Group share the same malware provider

Evilnum, FIN6, and Cobalt Group share the same malware provider

The Evilnum group’s toolset and infrastructure have evolved and now include custom malware as well as tools bought from a MaaS provider called Golden Chickens.
10 July 2020
RCE-bug found in Zoom client for Windows

RCE-bug found in Zoom client for Windows

The flaw is only exploitable on systems running Windows 7 and older Windows versions.
10 July 2020