Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
RiskIQ continuously investigates incidents of digital crime as we observe them on the web. Monitoring changes to crime groups and the evolution of their tactics is essential to continue to detect them effectively and stay ahead of the bad guys. With Magecart, we followed the crime syndicate’s first group and carefully analyzed its skimming code. As new Magecart groups materialized with unique code and tactics, we built on our Magecart base knowledge to get better and better at detecting Magecart and other forms of web skimming.
In this article, we will discuss our insights into a criminal group that maximizes their profit by working in two ecosystems that are typically distinct: phishing and web skimming. By leveraging a tactic with which they had tons of experience, phishing, they could double-dip into one with which they had less expertise, web skimming.
By combining tactics, this group was playing with a full deck when it came to stealing financial data—introducing Full(z) House.
Here, Malwarebytes published an article highlighting a small piece of this group’s activity in card skimming.
When different criminal ecosystems intersect, the overlap typically lies in the same place: the end goal of accruing profits.
At times, we find criminal groups operating for a long time in one particular ecosystem dip their toe in another and experiment with new methods of monetizing. For example, last year, Magecart Group 4, which seemed to operate in a banking malware ecosystem, began performing card skimming attacks. More recently, RiskIQ observed a group making a jump from the world of phishing into card skimming. We’ve named this group “Fullz House” based on the two parts of their operation:
This group isn’t new to the phishing ecosystem, however, the activities and infrastructure we highlight in this article mostly come from heightened activity starting in August-September of 2019.
Again, this group’s activities are split into two sections:
To fully dissect this group, we should begin with how RiskIQ observes its two activities, especially how they overlap. We can best explain the operational overlaps with this diagram:
While the two parts of this group’s operation are mainly split, there is a slight overlap in their attack infrastructure on domain-to-IP address resolution data, which is shown in the middle. The “sales platforms” this group operates also have infrastructure overlap with the infrastructure tied to the group’s operations that steal cards or payment credentials.
Digging deeper, it’s clear the group has learned some lessons along the way about hiding from researchers. Now, they separate their infrastructure better and even started hiding their stores behind new CloudFlare infrastructure. Unfortunately for them, RiskIQ’s historical data enabled us to trace them back to their old infrastructure and expose their flawed op-sec.
Now, let’s dive into the specifics of this double-sided operation and see how it all ties together.
To sell fullz—PII and combined financial information—you first have to harvest it. At least a portion of BlueMagicStore’s inventory comes from active phishing campaigns targeting customers of various financial institutions. The phishing pages are relatively typical, but two things are noteworthy:
While the group uses many different domains, their favorite phishing target remains PayPal.
To get card data to sell, the criminals perform web-skimming. Anyone who reads the RiskIQ blog knows that this isn’t a new attack vector, but, for us, new web-skimming campaigns are always interesting to see. What makes these operators especially fascinating is that they wrote their own skimmer, which is something we don’t often see anymore. The majority of criminals rely on skimming kits, buying pre-made skimmers from others—there are only a handful of operators now that maintain their own code.
Typically, the Fullz House skimmer is loaded from a hostname on a domain controlled by the group from a file named “ga.js,” which might be an attempt to blend into the page as a Google Analytics script. Here’s an example of the skimmer script tag on a compromised store:
Curiously, this skimmer doesn’t work like most modern skimmers, which wait for the victim to complete their purchase by hitting the “Purchase” or “Place Order” button. Fullz House’s skimmer works the way the first-ever skimming group pioneered skimmed back in 2014: by hooking to every input field they can find and waiting for an input change to check if there’s data to steal. This implementation is primitive and works more like a keylogger with data validation than a skimmer. As we mentioned, these criminals are new at skimming and figuring it out as they go.
Once the skimmer has found valuable payment data, it exfiltrates it by sending it to the “drop location,” the place where the criminals collect it. The stolen data is packaged and masqueraded as an image that is being included in the page. The URL of this fake image follows this format:
https://<skimmer domain>/ga.php?analytic=<base64 encoded data>
While we have been observing skimmers since 2014, there are always new things happening in this ecosystem as criminals innovate. Despite their primitive skimmers, Fullz House has also innovated, leveraging their unique cybercrime know-how to introduce a clever technique that performs a man-in-the-middle (MITM) attack on e-commerce transactions.
On the same domains from which they serve skimmers, the group sets up a page with a template mimicking a known payment processor. Here’s how it works:
The process is simple but not something we observed much before Fullz House’s operation—especially not in the clever way the stolen payment data is exfiltrated. It appears the group decided to not waste their development investment in the skimmer like many Magecart groups. Instead, they repurposed the skimmer for their payment processor/phishing man-in-the-middle page.
If you look at the exfiltrated payment data, you can see it goes to the same location that the skimmer would send its data, and even the way the page sends out the stolen payment data, through a fake image, is exactly the same:
The only difference from the exfiltration of the skimmer and the payment processor phishing page is at the end of the process. Once finished:
This repurposing of their skimming code shows that this group operates on its own, and leverages its unique expertise to develop its own tools by innovating a new (additional) way of stealing payment information from e-commerce with man-in-the-middle phishing attacks.
We’ll be keeping a close eye on this group as it evolves, and as well as new groups that borrow their tactics.
Often, criminals with connections will not make use of regular hosting providers and instead use what is referred to as “bulletproof hosting.” These hosters promise to provide better uptime regardless of takedown requests and also promise to shield the customer from any legal fallout directed at the servers related to criminal activities stemming from their use.
Due to the shady use of bulletproof hosting, we often find curious overlap in IPs used by what seem to be separate groups, which means we have to be extra careful about corroborating links between individual pieces of threat infrastructure. However, sometimes see overlaps that do indicate a legitimate connection.
One of these overlaps is between the Fullz House group and a carding shop called “StewieShop.” StewieShop is advertised very publicly:
When pivoting Fullz House infrastructure, we can find its public domain hosted with IP overlap for some of the financial phishing domains:
On the same infrastructure, we can also find a dump store called “The Infinity Base”:
This store shares IP space with Stewie666 and all the other infrastructure on the same IP pivot point—but also on other IPs related to crime over a long period. All this overlap gives the impression the IP space is littered with bad guys. However, when you take a look at a timeline of when all these stores were registered and setup, a theme emerges.
The timeline shows these stores were all set up in sequence and are, besides CardHouse, relatively new. For this reason, along with the direct overlap in IP space, we feel strongly that there is a deeper connection amongst them.
A final note on the hosting of these carding shops and the skimming/phishing infrastructure, RiskIQ’s extensive repository of passive DNS and WHOIS data, our internal Yellowpages, have a lot of addresses for the bad actors using these services. Soon, we’ll build out another report on the connections we’re seeing.
Magecart and other forms of web-skimming is an ever-evolving cybercrime beast that is not going away because it’s too profitable.
At RiskIQ, we have been chronicling Magecart and other web-skimming groups and chronicling changes in tools and tactics. The Fullz group crossed over from the phishing ecosystem to bring an entirely new skill set to the online skimming game. Creating fake external payment pages masquerading as legitimate financial institutions and then redirecting victims to these phishing pages to fill out their payment data adds a new element to the web-skimming landscape. This new skimming/phishing hybrid threat tactic means that even stores that send customers to external payment processors are vulnerable.
RiskIQ’s datasets provide a fuller picture of this group’s activities. We are not only able to observe and detect the skimmer and phishing activity and the affected sites, but we can also track them through the infrastructure they use both today and in the past. RiskIQ’s passive DNS data allows us to find where their financial phishing domains overlap with several carding shops as well as when these shops were created and where they’re hosted.
Ultimately, the picture that emerges is of a well-connected group that has access to bulletproof hosting, is schooled in the world of phishing, and, although new to web-skimming, has the cunning to make a niche for themselves.
We’ve combined all the IOCs in one list, but the list does not include the domains for the two stores the group operates. Keep in mind that there could be historical hits on these IOCs not because of a phishing attack, but because the store was visited. Also, keep in mind that the activity around this infrastructure begins in the second half of August.
Note that we list domains in the IOCs, not hostnames. The operators of this group do use individual hostnames for different attacks. Still, because the bad guys wholly own the domains, a domain hit regardless of the full hostname should be regarded as an incident to investigate.
The IOCs are shared through our RiskIQ Community platform. There is no need to log in, as guest access is enabled allowing easy access to the IOCs, which can be found here: https://community.riskiq.com/projects/66a3d10a-3625-4464-b0ea-4ba870eb2863
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
“(...) RiskIQ has been able to track much more of the bad guy’s infrastructure used in their scam operations. We’ve identified around 400 domains so far that are all tied to these scams.” - @ydklijnsma
WHAT JUST HAPPENED? Security pros offered a range of opinions about the breach. All agreed the fault did not lie with each hacked account's owner. Some say it may have come from inside @Twitter.
@BradyDale and @benjaminopowers report
Targeted #cyberthreats are spiking during #COVID19. We provide one source for information to simplify and accelerate your investigation process #ThreatHunting https://bit.ly/3c9xKoq
RiskIQ researchers just doubled the number of IoCs in the Pastebin. Please continue to monitor it for updates as this situation evolves https://pastebin.com/h64CK3CG #twitterhack #twitterhacks #ThreatIntel #IOCs
Just in case my last tweet got lost in the thread storm, @RiskIQ's list of domains apparently tied to this scam gives us a pretty good idea of who was targeted here. https://pastebin.com/h64CK3CG
This is developing very quickly, but seems to have been staged well in advance. Take a look at some these domains set up to support this scam. H/T @RiskIQ https://twitter.com/ydklijnsma/status/1283508384335925248
Leveraging @RiskIQ's datasets we have identified more infrastructure tied to the current cryptocurrency scammers impacting @elonmusk , @billgates, etc. This is research data, validate before taking action, it might identify new targets also.
At this point we can just assume the entire platform compromised. https://twitter.com/ydklijnsma/status/1283503695796162560
And they've just crossed the cryptocurrency boundary https://twitter.com/ydklijnsma/status/1283501318917611521