Credit-card skimming malware has been detected on the website of a mobile virtual network operator (MVNO).
Headquartered in Oklahoma, Boom! Mobile is a wireless provider that sells contract-free cell phone plans to its customers.
“Once decoded, the URL loads a fake Google Analytics script from paypal-debit[.]com/cdn/ga.js. We quickly recognized this code as a credit card skimmer that checks for input fields and then exfiltrates the data to the criminals.”
Once the data has been exfiltrated, the skimmer removes the fake image from the webpage, and the phishing page redirects the user to the real payment processor.
Researchers noted that the domain and code used to attack Boom! Mobile had been used in a previous attack in which threat actors used decoy payment portals “set up like phishing pages.”
The threat group that hit the MVNO was tracked by RISKiQ under the nickname “Fullz House.” In cyber-criminal slang, “fullz” is a term used by bad actors and data resellers to describe full packages of individuals’ identifying information for sale on the dark web.
At the end of last month, Malwarebytes researchers noticed a number of new domains that appeared to be connected to the same threat group, who are also tracked as Magecart Group 4 in 2019.
Researchers believe the criminals could have gained access to Boom! Mobile’s site because, according to Sucuri, it was running PHP version 5.6.40, which hasn’t been supported since January last year.
“This may have been a point of entry but any other vulnerable plugin could also have been abused by attackers to inject malicious code into the website,” noted researchers.
Despite reporting the skimming attack to Boom! Mobile through the company’s live chat and via email, Malwarebytes has not received a response.
“Their website is still compromised and online shoppers are still at risk,” warned researchers.