HomesecurityUltraRank: Steals credit cards from hundreds of online stores

UltraRank: Steals credit cards from hundreds of online stores

A hacking team that specializes in infecting online stores for credit card data theft is responsible for hacking about 700 websites. The gang called UltraRank has been active since at least 2015 and uses web skimmers and malicious code JavaScript also known as JS sniffers.

The gang sells credit card information through an affiliate card store, earning tens of thousands of dollars a week.


UltraRank changed tactics

Group-IB security researchers say the UltraRank team has changed tactics and infrastructure several times over the years. All this made it difficult to identify her, as they did not know with whom functions and with which campaigns to link it.

In a technical report released this week, researchers provide evidence that UltraRank is the team behind the incidents attributed to the team Magecart.

In three long-term campaigns launched in 2015, 2016 and 2018, the gang was able to "plant" JS-sniffers on 691 individual high-traffic sites, such as sporting event resale sites.

However, this number is conservative given the group's breach of 13 ISPs. The 13 providers are probably used by thousands website in the whole people.

Among those victims are the French advertising company Adverline and The Brandit Agency, a company marketing creating websites that use the platform Magento.


The group's three campaigns, named by Group-IB, FakeLogistics, WebRank and SnifLite, were based on JS sniffers. Some commonalities were also shared possibilities and infrastructure that made it possible to detect malicious activity when the first attacks by the group occurred:

  • similar methods for hiding the location and patterns for domain registration
  • storing the same malicious code in multiple locations with different domain names
  • targeted attacks

The starting point of the investigation was the host "toplevelstatic [.] Com" who hosted a JS sniffer to violate The Brandit Agency. The same domain stored files used in attacks against other Internet sites shops.

Group-IB is almost certain that the UltraRank team handles these three features, but researchers believe it may be involved in other campaigns.  


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.