Warning over Fullz House Magecart threat group using phishing and web skimming to compromise web payments
Fullz House Magecart threat group has branched out from selling 'Fullz' - full packages of information - on underground trading sites
Security researchers have issued a warning over a threat group, named Fullz House, which has started using both phishing and card skimming techniques to compromise web payment pages.
Fullz House is not a new threat group, according to researchers from cyber security firm RiskIQ. It has been operating "BlueMagicStore", an underground trading store, for at least a year to sell "fullz" or full packages of information, including personally identifiable information and stolen financial information of online users.
Fullz House also operates another trading store called "CardHouse" to sell credit card details.
However, the researchers say they noticed an uptick in the activity of Fullz House in around August-September this year, when the group decided to add web skimming to its arsenal.
Prior to that, the group had been using only phishing techniques to steal personally identifiable information and banking details for sale online
The phishing techniques used by Fullz House are highly efficient. They have created templates of payment provider pages and a single backend handles all of them. While the group has been targeting multiple sites, PayPal appears to be their favourite domain to target.
The card skimming features of their operation are similar to others. The group has written their own skimmer code, something that is rarely seen among Magecart operators. Most cyber criminals now rely on pre-made skimmer kits built by others, and only a few operators now maintain their own skimming code.
But the implementation of the Fullz House skimmer appears somewhat primitive. It imitates a Google Analytics script and works more like a keylogger, waiting for an input change to see whether there's data to steal. The stolen data is then relayed to a 'drop location' where it is packed and disguised as an image file.
The group is also updating its skimmers to execute a man-in-the-middle attack on transactions.
After visitors proceed to a payment page on a compromised website, they are redirected to a bogus transaction page operated by Fullz House. As soon as the payment info is entered, the visitor is sent back to the authentic payment page of the website to complete the transaction.
Neither the customer nor the compromised website knows that something malicious occurred during the transaction.