Named UltraRank by Group-IB, the threat actor has launched at least three campaigns since 2015, including one that appears to be ongoing. While each campaign relied on different pieces of malware to steal card data, researchers found evidence linking them to the same group, including similar domain registration patterns, mechanisms for hiding servers, and storage locations for malicious code. The malware families observed by Group-IB were named FakeLogistics, WebRank and SnifLite.
“Over five years, UltraRank repeatedly changed its infrastructure and malicious code for stealing bank card data, as a result of which researchers would wrongly attribute its attacks to other threat actors,” Group-IB noted in its report.
The cybersecurity firm’s analysis showed that UltraRank hacked into nearly 700 websites, as well as 13 service providers in the Americas, Europe and Asia. The impacted service providers include web design firms, marketing agencies, and advertising and browser notification services.
In one attack, identified in February 2020, the attackers breached the systems of a US-based marketing firm, The Brandit Agency, and planted their JS sniffers on the websites created by the company for five of its customers, including T-Mobile.
Last year, the cybercriminals compromised over 270 websites after breaching the systems of France-based ad network Adverline. They also targeted Block and Company, the largest manufacturer of cash handling products in North America.
JS sniffer malware is designed to steal payment card information from the customers of online stores. Group-IB says it currently tracks nearly 100 JS sniffer families, more than double compared to a year earlier.
Many cybercrime groups involved in these types of attacks make a profit by using the stolen card data to acquire goods that they can sell, or they sell the card data directly to others. UltraRank, however, has set up its own card shop, called ValidCC. The cybercrime shop made as much as $7,000 in a single day, the cybercriminals claimed last year.
Group-IB said one of the threat group’s representatives used English to write on underground forums, but they would sometimes also communicate in Russian.