UltraRank hackers compromised 100s of websites via JS-Sniffer attacks

The cybercriminal group dubbed as “UltraRank’ previous shenanigans were linked to Magecart Groups 2, 5, and 12.

A Singapore based cybersecurity firm Group-IB has uncovered a huge digital skimming group that is responsible for conducting JS-sniffer campaigns on more than hundreds of websites and numerous third party suppliers for the past five years.

The cybercriminal group dubbed as “UltraRank’ previous shenanigans were linked to Magecart Groups 2, 5, and 12. The association was made on similar grounds wherein, the latter would also insert malicious JavaScript code into e-commerce sites with the aim to steal sensitive credit card information and other details from payment forms that were submitted on the checkout web page.

Nevertheless, Group-IB discovered that these were, in fact, three different malicious campaigns that were misattributed to Magecart groups. The revelation ensued when the researchers found out that in February 2020, the hacker group targeted a US-based marketing company called the Brandit Agency. Once intercepted the UltraRank were able to compromise and infect JS-sniffers into five websites created by the agency.

See: Hundreds of counterfeit branded shoe stores hacked with web skimmer

However, the distinction was further made when the hackers in question pursued similar elements in all their campaigns. Which was hiding their command and control server location and analogous patterns of domain registrations were deployed.


Moreover, numerous storage locations for the malicious code ensuing identical contents were found in all the operations. The only differentiation between the three campaigns was the choice of JS-Sniffer; FakeLogistics, WebRank, and SnifLite.

According to a report shared by the company with Hackread.com, in the last five years, the hacker group has compromised almost 700 websites and targeted 13 third party suppliers which include advertising, marketing, and web design agencies located in Asia, Europe Latin, and North America.

Not only this, in order to throw researchers off their scent the group designed their own revenue model which consisted of monetizing or selling the stolen information through a card shop called ValidCC.

Through this, they were able to generate $5000 to $7000 per day in one week in 2019. Besides this, a transaction worth $25000-$30,000 was made to third party suppliers of stolen payment data via ValidCC.

During its activity, UltraRank has built an autonomous business model with a unique technical and organizational structure, as well as its own sales and monetization system for stolen bank card data. The group is not an ordinary player in this criminal market, which is also proven by their methods of competitive struggle: Group-IB experts recorded UltraRank’s attacks on competing groups, as well as on phishing pages imitating card shop associated with cybercriminals.

The researchers made the connection to UltraRank after they discovered comments made on underground forums by a user called ‘SPR’ who claimed he was a representative of the card shop and the stolen information was obtained via JS-sniffer. The user in question posted comments in English but later shifted to Russian.

See: Stolen card data of millions of Wawa customers sold on dark web

One of the Group-IB threat intelligence analysts, Victor Okorokov claims that the use of this malicious instrument will increase in the coming years. This is a notion to websites and online shops to pay utmost attention to their web security and stop using outdated CMS’s that are riddled with vulnerabilities that can be easily exploited.

You can request the report here.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts