Boom! Hacked Page on Mobile Phone Website is Stealing Customers Card data

If you’re in the market for a new mobile phone plan, it’s best to avoid turning to Boom! Mobile. That is unless you don’t mind your sensitive payment card data being sent to criminals in an attack that remained ongoing in the last few hours.

- Advertisement -

According to researchers from security firm Malwarebytes, Boom! Mobile’s boom.us website is infected with a malicious script that skims payment card data and sends it to a server under the control of a criminal group researchers have dubbed Fullz House. The malicious script is called by a single line that comprises mostly nonsense characters when viewed with the human eye.

When decoded from Base64 format, the line translates to paypal-debit[.]com/cdn/ga.js. The JavaScript code ga.js masquerades as a Google Analytics script at one of the many fraudulent domains operated by Fullz House members.

“This skimmer is quite noisy as it will exfiltrate data every time it detects a change in the fields displayed on the current page,” Malwarebytes researchers wrote in a post published on Monday. “From a network traffic point of view, you can see each leak as a single GET request where the data is Base64 encoded.”

Scrambling the data into Base64 strings helps to conceal the actual content. Decoding the strings is trivial and is done once the Fullz House members have received it.

Boom! Hacked Page on Mobile Phone Website is Stealing Customers Card data
Boom! Hacked Page on Mobile Phone Website is Stealing Customers Card data
- Advertisement -

How, precisely, the malicious line got added to the Boom! Website is not clear. As Malwarebytes noted, this site security checker from security company Sucuri shows that Boom.us is running PHP 5.6.40, a version that hasn’t been supported since January 2019 and has known security vulnerabilities. It’s possible that attackers found a way to exploit one or more PHP security flaws, but there may be other explanations as well.

The name Fullz House is a nod to Fullz, which is slang for the full or complete data from a credit or debit card. Typically, a full includes the holder’s full name and billing address; card number, expiration date and security code; and often a Social Security number and birth date. A Fullz sells for much more in underground markets than only partial information. Malwarebytes said it has seen Fullz House operate before.

People considering buying a new phone plan should steer clear of Boom!, at least until the skimmer script is removed. Antivirus protection from Malwarebytes and some other providers will also provide a warning when users are visiting a site that’s infected with one of these skimmers. Boom! Representatives didn’t respond to messages seeking comment for this post.

Also Read:

YOU MIGHT LIKE

Oppo Reno 5 Pro 5G could Come with Quad Camera Specifications

There is a lot of buzz around Oppo’s next flagship smartphone series, oppo Reno 5. Already, the smartphone series has appeared in multiple leaks...

Xiaomi India Black Friday sale

Xiaomi has announced that it will be holding a Black Friday sale in India, starting from November 26, which will go on till November...

2FA bypass discovered in web hosting software cPanel

Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers. The...

YouTube 8K Streaming Support Reportedly Rolling Out to Select Android TV Users

YouTube is reportedly rolling out 8K streaming support for select Android TV users as part of the company’s plans to possibly bring the feature to all users everywhere. According...

PUBG Mobile India was Recently Registered as a Company and Launch Soon

PUBG Mobile is one of the leading mobile battle royale titles. The game has amassed a massive fan base worldwide and holds a special place...

Leave A Reply

Please enter your comment!
Please enter your name here