A group under the Magecart umbrella, known as Fullz House, has switched its focus from solely selling 'Fullz' (full packages of information) to card skimming attacks mixing MiTM and phishing attacks to target sites using external payment processors.
Fullz House is not a new player on the cybercriminal scene, according to researchers from cyber security firm RiskIQ. The threat group has been operating "BlueMagicStore", an underground trading store selling "fullz" or full packages of information, including personally identifiable information and stolen banking data. Fullz House also operates another trading store called "CardHouse" focused on selling credit card details. However, during August and September this year, researchers noticed an overlap in the group’s attack infrastructure that now combines phishing and web skimming techniques.
The researchers said that at least a portion of BlueMagicStore’s wares comes from phishing campaigns aimed at customers of various financial institutions. While the phishing pages are relatively typical, they are reconstructions, not direct copies of the payment provider(s) pages, also, the pages are part of a framework. Fullz House created different templates mimicking every payment provider, with single backend handling all of them. Although the group targets multiple domains, generally it prefers PayPal.
According to RiskIQ, unlike other threat groups operating under Magecart umbrella, Fullz House developed its own skimmer – a rare occurrence nowadays, as the majority of criminals prefer pre-made skimmer kits built by others, and only a few operators now maintain their own skimming code.
However, the implementation of the Fullz House skimmer appears somewhat primitive, with code functionality resembling the first kinds of skimmers discovered back in 2014. The researchers say that the skimmer works more like keylogger, waiting for an input change to see whether there is data to steal. The gathered info then sent to a “drop location” where the criminals collect it.
“Despite their primitive skimmers, Fullz House has also innovated, leveraging their unique cybercrime know-how to introduce a clever technique that performs a man-in-the-middle (mitm) attack on e-commerce transactions,” the researchers noted.
The attack works like this: the group sets up a page with a template mimicking a known payment processor. When victims attempt to purchase something on a compromised store, the e-commerce redirects them to a fake payment page used to trick victims to finalize the payment. Once the visitor enters their payment information on the rogue page and hits the “Pay” button, the data is sent to the attacker’s server, and the user is then redirected to a legitimate payment processor’s page where they can complete the purchase.
“The Fullz group crossed over from the phishing ecosystem to bring an entirely new skill set to the online skimming game. Creating fake external payment pages masquerading as legitimate financial institutions and then redirecting victims to these phishing pages to fill out their payment data adds a new element to the web-skimming landscape. This new skimming/phishing hybrid threat tactic means that even stores that send customers to external payment processors are vulnerable,” the research team warned.