The gang sells credit card information through an affiliate card store, earning tens of thousands of dollars a week.
UltraRank changed tactics
Group-IB security researchers say the UltraRank team has changed tactics and infrastructure several times over the years. All this made it difficult to identify her, as they did not know with whom functions and with which campaigns to link it.
In a technical report released this week, researchers provide evidence that UltraRank is the team behind the incidents attributed to the team Magecart.
In three long-term campaigns launched in 2015, 2016 and 2018, the gang was able to "plant" JS-sniffers on 691 individual high-traffic sites, such as sporting event resale sites.
The group's three campaigns, named by Group-IB, FakeLogistics, WebRank and SnifLite, were based on JS sniffers. Some commonalities were also shared possibilities and infrastructure that made it possible to detect malicious activity when the first attacks by the group occurred:
- similar methods for hiding the location and patterns for domain registration
- storing the same malicious code in multiple locations with different domain names
- targeted attacks
The starting point of the investigation was the host "toplevelstatic [.] Com" who hosted a JS sniffer to violate The Brandit Agency. The same domain stored files used in attacks against other Internet sites shops.
Group-IB is almost certain that the UltraRank team handles these three features, but researchers believe it may be involved in other campaigns.