Hacker group attacks mobile phone website and steals customers' credit card info

Hacker group attacks mobile phone website and steals customers’ credit card info

Are you on the hunt for a new mobile phone plan? Well, you better steer clear of Boom! Mobile’s website.

Why? Unfortunately, a hacker group attacked the website and stole customers’ credit card info.

The credit card skimming group, Fullz House, has compromised and injected the website of US mobile virtual network operator, Boom! Mobile, using a credit card stealer script.

Boom! Mobile provides American consumers with postpaid and prepaid no-contract wireless services that work with the country’s largest cellular networks such as AT&T, T-Mobile, and Verizon.

The website has been hit with what is known as the MageCart attack, aka web skimming or e-skimming. The scheme consists of threat actors putting malicious JavaScript scripts within the compromised website –– in this case the Boom! Mobile’s website.

These scripts will then be used by the hackers to steal payment or personal info, including the customers’ credit card details that were submitted on the site through e-commerce forms.

Read: Beware!!! This Windows 7 end-of-support phishing campaign steals passwords

Boom! Mobile’s website is still infected with malicious scripts

Researchers from the security firm, Malwarebytes, said that the website is still infected with malicious scripts. The scripts skim credit card data and sends this data to a server that is under control of a criminal group; in this case, Fullz House.

The malicious script is called by a single line that is comprised mostly of characters that won’t make sense to the eyes of a regular viewer.

The malicious scripts found on Boom! Mobile’s website

When the malicious script was decoded using the Base64 format, the line translates to paypal-debit[.]com/cdn/ga.js. Now, the JavaScript code ga.js poses as a Google Analytics script at one of the fraudulent domains controlled by Fullz House members.

More scripts in the website that skims customers’ credit card info

Malwarebytes researchers published on Monday that, “this skimmer is quite noisy as it will exfiltrate data every time it detects a change in the fields displayed on the current page. From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded.”

Putting the scripts into Base64 strings helps conceal its true identity. Decoding the strings is tricky and is done once the Fullz House members have received it.

How exactly did the malicious line get added into Boom! Mobile’s website is still unknown. However, Malwarebytes noted, Boom!’s security checker from the security company, Sucuri, revealed that Boom.us is running PHP 5.6.40 version. This version has not been supported since January 2019 and has many known vulnerabilities.

It’s feasible that the attackers found a way to exploit one or more PHP security flaws; however, there might be another explanation.

You might want to consider getting a new mobile plan from another provider

If you have been considering a new phone plan, you might want to widen your options and steer clear of Boom!’s, at least until the malicious scripts have been completely removed.

Additionally, according to Malwarebytes, anti-virus protection software will also help in providing users with a warning when they are visiting a website that is infected with one of these skimming schemes.

Representatives from Boom! Mobile have yet to respond to this security issue.

Leave a Reply

Your email address will not be published. Required fields are marked *